USB sticks: simply practical or simply too risky?

    In a surprisingly large number of companies, employees can use USB flash drives without restrictions. Thus, confidential data can easily fall into the wrong hands. What is the best way to deal with the tiny storage devices?

     

    A mishap with a USB flash drive can easily turn into a scandal. This occurred recently, for example, when a customer of a German mobile phone shop received a memory stick with a backup of her smartphone – including personal data and passwords of other customers. In 2017, London Heathrow Airport hit the headlines: A flash memory had fallen into the hands of a third party; it contained, among other things, details of the Queen's personal protection. USB media can also be used against companies with full intent, for instance for spying: so-called keyloggers which record all keyboard entries on a computer and forward them to obscure recipients via WLAN are nowadays available to anyone.

    Looking at these risks, it's surprising how many companies are rather generous with USB devices. According to a customer survey conducted by storage media manufacturer Kingston, in 2016 more than half of the participants used private USB drives also for work and vice versa. Nearly three-quarters stated that flash media had already been lost in their company. The way companies deal with this issue is often just a symptom of a larger problem: Where there are no rules for the use of flash drives, it is not uncommon that this company is also lacking guidelines and technologies to prevent data leaks in any form.

    The example of USB storage media is good to illustrate how effective Data Leakage Prevention (DLP) should be organized:

    1. Classifying data according to confidentiality

    Organizations that work with sensitive data need clear guidelines: What information can be disclosed to the public? What is reserved for the eyes of employees only, or even for selected groups of employees?

    2. Defining rules for technology

    For each data class, technical protective measures must be described in an Information Security Management System. For example, it must be defined whether certain data has to be encrypted. These rules also apply to hardware. USB devices, for instance, can be generally prohibited or just restricted: Employees may only connect virus-tested, password-protected USB hardware to their computers. It may be prohibited to charge your private smartphone on your office PC – or it may be permitted as long as the devices do not exchange data.

    3. Special systems as guardians of sensitive information

    Antivirus software and firewalls protect against intruders, but not against data which accidentally reaches the wrong recipients. Special DLP systems ensure that hardware and software comply with security guidelines. For example, you will only be able to connect encrypted USB drives to company computers. Such devices can also be set up in a way that IT can remotely lock them or delete data stored on them. Other DLP systems continuously monitor the metadata of files or scan documents for sensitive content before data leave the company.

    4. Getting more conscious and cautious

    Security technology can be as good as it gets – when employees don’t take care of their USB devices, that's more than just a residual risk. Think of a flash drive being lost, forgotten in a hotel or stolen from a car – including sensitive business strategy information. Even if the data carrier is encrypted, this won’t help much if the password is "12345". That is why regular IT security trainings are indispensable.