Secure USB Drive

The personal health records of over 83,000 Canadians have been lost on an unencrypted USB memory stick.

The device was lost by a member of staff from a centre in Ontario State, and contained data collected from everyone who attended H1N1 or seasonal flu vaccination clinics in the region over a period of nearly two months. The information included personal information such as names, addresses, phone numbers, dates of birth, health card numbers, doctor’s names and so on. Read More »

Another UK council has had to sign an undertaking with the UK Information Commissioner’s Office (ICO) to better safeguard its data after an unencrypted USB memory stick was lost in the post.

The device, lost by Shropshire Council in England, contained personal and health details of vulnerable members of the public, and of members of the council’s own staff who were working in the sensitive adult social care department. It was being sent by post from the council to a contractor in Cardiff.

The ICO said the loss breached the Data Protection Act, and the undertaking the council has signed requires education of staff on data security, and encryption of portable and mobile devices used to store and transmit personal data.

These incidents show the need for always-on, mandatory protection of data written to removable media: protection which is delivered from use of our Cruzer Enterprise range of secure USB flash drives.

It’s been a high-profile year for USB memory sticks: they have been the subject of many headlines thanks to a series of losses and theft incidents, and have been exploited as a new vector for spreading malware across networks (thanks to Conficker and related Autorun-exploiting worms). Read More »

The UK Government’s former Information Commissioner, Richard Thomas, was recently interviewed by SC Magazine. It makes a very interesting read, especially on what Thomas describes as “politicians, senior civil servants and managers … not understanding the technologies and the risks.”

It also gives an insight into plans to introduce stronger powers for the Information Commissioner’s Office, such as increased notification fees for data breaches for larger organisations, new powers of inspection and much stronger sanctions against companies that have experienced breaches.

New sanctions are also planned to be introduced from next year when ‘a company or government department deliberately or recklessly ignore data protection requirements, and cause serious harm, then they will face a civil penalty’. Thomas explains that this will affect anyone who is a data controller, and there are over 300,000 of them in the UK.

All the more reason for organizations to evaluate their approach to portable data security – and take appropriate action to secure critical information.

A recent survey of London taxi drivers shows that December is the worst time of year for losing mobile phones, laptops and memory sticks.

Apparently some 10,000 mobiles are left behind in taxis every month, and over 1,000 laptops, flash drives and other removable devices too. It’s believed that most of these losses happen because they slip out of peoples’ pockets, or are simply forgotten as passengers rush to their next meeting or destination.

The good news is that London cabbies are more honest than their counterparts in New York:
80% of taxi drivers in London claimed that they had reunited owners with their devices once they were found, compared to just 66% in New York.

Even so, it’s all the more reason to secure any data on these portable devices with encryption – just in case you’re one of the 20% whose device isn’t found.

We’ve all lost things at some time in our lives – car keys, wallet, mobile phone – and have experienced the frustrations this can cause.  Some might have lost things like laptops, and had to suffer the problems of paying for a replacement, and the loss of useful information that was on the device. 

These problems are irritating, but usually don’t cause much more than minor inconvenience.  If only it was the same in the business world.  That laptop loss, or loss of a USB flash drive, could be just the first of many problems.  Does the business know what data was on that PC or thumb drive?  Did the user remember to encrypt the data?  What are the ramifications if the data falls into the wrong hands?

This article from Jon Collins, head of research company Freeform Dynamics, looks at practical, good-practice steps companies can take to minimise the fallout from device losses. 

It maps closely onto the benefits our secure USB flash drives and data management solution deliver to users – automated, transparent protection of data, the ability to track and audit what data has been copied to devices, and remote device termination.  With the right equipment, small problems will stay small.

Here are some sobering statistics from a recent US survey of IT professionals.  The leading magazine InformationWeek recently announced the findings of its State of Encryption Survey, which polled the opinions of 499 IT staff. 

Only 14% of respondents said encryption is used across their organisations, and just 38% said they encrypt data on mobile devices.  The main reason for deploying encryption (31%) was to meet regulatory requirements – and there’s a strong reason for this, as 44 US states enforce mandatory disclosure of data breaches, and such disclosure can cost organisations hundreds of thousands of dollars. Read More »

Earlier this week, the Information Security Forum’s World Congress was held in Vancouver, Canada.  One of the keynote speakers was FBI Assistant Director of Cybersecurity, Shawn Henry.  He spoke about how the new and emerging threats against security are proving effective, and how exploiting security flaws is costing corporates in hard cash.

He also related some recent, effective hacking techniques which his department had investigated.  A key example was during a recent conference, where a malicious party left several USB memory sticks in a nearby parking area, with each device containing malware. Any conference attendee plugging the drive into their laptop to see who it belonged to “was providing egress for a potential adversary,” said Henry.

This reinforces the need for organisations to control how they allow the use of USB devices – good practice is to lock out unauthorised or personal devices, to avoid the risk of this type of hack, and to issue staff with secure USB flash drives that safeguard data against loss or theft.

Last week’s episode of the British satirical comedy, The Thick of It, showed how the concept of a major public-sector data loss has become so mainstream that it can be the subject of an entire programme.

The story was based around the accidental wiping of a large volume of citizen data within a Government department, with no backup available, and follows the frantic efforts of the department to stop the news leaking to the press. Read More »

More UK companies and Government departments than ever are reporting data losses to the Information Commissioner’s Office, the UK data watchdog, according to recent data.

Reported incidents grew nearly 100% to 356 data losses in the period between November 2008 and September 2009, compared to 190 incidents between October 2007 and November 2008.

The most common type of loss was due to stolen hardware, usually laptops, with 127 such cases.  Another 71 were due to lost hardware – usually USB flash drives – and 78 due to misaddressed discs or memory sticks. 

It’s hard to say whether the number of losses has increased, or if organisations are simply reporting more losses than in previous years.  But it’s reasonable to assume that many of these losses would not have caused problems if the data had been stored on a secure USB flash drive.