The first commercially-available USB flash drives were released in 2000 with a storage size of just 8 megabytes. Fast forward eleven years and the size has increased by roughly 130,000x or more. Today a 8GB USB flash drive cost as a little as £7 and obviously can store a lot more data with ease. 8MB was just enough for a few documents, these days 128GB could store all the data on someone’s computer … documents, photos, videos, music, accounts and a lot more, including sensitive personal data.
Due to the shear storage capacity and price, individuals and companies can now easily afford USB flash drives. Documents can be copied in seconds, carried around or posted. This can, of course, result in a serious security problem as most USB flash drives have no encryption or password protection. If someone loses a USB flash drive on the train, someone will pick it up and automatically plug it into their own computer.
Out of curiosity, the ‘finder’ will browse through your data and, of course, there is a small chance that he or she may try to return it to you if the data includes a contact. While the ‘finder’ may be an innocent commuter, he or she could also post your data on forums, sell it to rival companies or sell it to the press. In a moment your precious personal or business data could be all over the media. The result … bad publicity, loss of customers, loss of license and/or a fine of up to £500,000 or more.
Secure solutions such as the IronKey are available … but at a cost of between £70 and £300 per USB flash drive. IronKeys do offer high levels of security and compliance but at a starting price of £70 they are not cheap and no-one wants to lose £70 in a instant. Another option is TrueCrypt, an open-source free tool for securing USB devices which offers high security but no compliance and it is slow and technical to set up. It is simply not practical for a company to spend one or more hours setting up a single device.
Schools, local councils, the NHS and businesses have a habit of losing sensitive data on USB drives. In 2008 the discovery of a USB memory stick containing classified NATO information in a Stockholm library prompted a high-level meeting between Swedish Military Intelligence and Security Service and international defence officials. Sadly, numerous similar incidents regularly appear in the media.
Policy alone will not stop data leaks from removable media such as the USB stick, USB hard drives, CDs, DVDs and memory cards. As the expression goes, ‘rules are meant to be broken’ and it only takes one non-compliant employee to cause a major problem. A better solution is implementing a pro-active mandatory encryption solution that will stop un-encrypted data from leaving the building and ensure that all files saved to removal media are encrypted.