The old security chestnut of lost USB sticks is back in the news again, with reports of a stick containing a safety assessment of a nuclear power plant in North-East England going walkabout from the Office for Nuclear Regulation (ONR).
The unencrypted USB stick contained a ‘stress test’ safety assessment of the Hartlepool plant, but the ONR – undoubtedly playing the incident down – has said the stick did not contain significantly sensitive data. However, the fact that the data was also available on the Internet is actually a red herring, as the real point here is that the ONR employee should not have been using an unencrypted USB stick.
It is all very well that the ONR has pronounced that the use of unencrypted devices for transporting documents with a security classification is not allowed, but there should be security systems in place to both stop these incidents from happening – and other technologies such as automated encryption to back up those systems.
These unprotected USB stick loss incidents have been in and out of the news for some time. Back in January, for example, the ICO and its counterpart in the Isle of Man slammed a healthcare firm called Praxis Care, following the loss of a USB stick containing personal information on 160 patients.
And in early February, East Lothian Council was hit by a large penalty after the details of more than 1,000 school pupils were lost when a USB stick went for a stroll. Then, if you look further back, there have been numerous incidents involving these digital equivalents of floppy disks over the last few years. The complexity of USB sticks is also starting to rise, as is the level of storage one can buy for under ten pounds – the petty cash limit in most offices.
We are starting to see the arrival of GPS/GSM-enhanced USB sticks, which – like an Apple iPhone – can be tracked as they move around in someone’s briefcase, purse or pocket… but this is not a cheap hobby. Furthermore it locates but does not necessarily secure the data.
Using encryption and policy-based network/IT resource security is a lot cheaper – and far more cost-effective as the marginal cost of enrolling a USB stick in a security programme is very little, when most solutions offer a level of automation, which minimises human intervention.
And even where the total cost ownership (TCO) issue is considered to be of paramount importance in an organisation, high level encryption is now the standard way of protecting data in most firms, even when that data is carried around on a USB stick.
You will be hard-pressed to stop USB stick incidents from taking place, owing to their ubiquity. As long as people can buy these devices for a few pounds at their local supermarket, they will continue to be a headache for IT managers.
What is not a headache, however, is the ease with which encryption and allied security technologies can be deployed to ensure that any information taken from a network asset is automatically encrypted whatever the format used.
Furthermore the added benefit of being able to wipe data remotely is also a huge plus. And when you factor in the ease with which ancillary security technologies – such as content and endpoint security – can be deployed, it’s something of a no-brainer to install and use them.