The UK Government Information Commissioner’s Office (ICO) continues to be firm with public sector organisations that have had data losses.

This week, a Council in central England has agreed to comply with data protection principles, and signed an undertaking to assure the ICO that personal data will be kept securely in future.  A council employee lost an unencrypted memory stick which contained highly sensitive personal information on four families.

As part of the commitment, the council has agreed to ensure that portable and mobile devices, including laptops, USB flash drives etc are encrypted.  Staff will also be trained and made aware of policies for storage and use of personal information.

It’s good to see that these measures are being taken over losses of personal data, even when the actual volume of lost data is small.  Let’s hope that other countries take an equally firm stance on this issue.

The results from a recent international security survey showed that a majority of small & medium businesses (SMBs) felt they lacked basic security measures to protect their sensitive business data.

The top three security concerns stated by SMBs were viruses, data breaches, and loss of confidential or proprietary information through USB and other devices.

Yet one of the key findings was the low take-up of endpoint security of any kind, with well over half (56%) of the SMBs surveyed saying they had no endpoint protection deployed.  Two of the key reasons stated for this low level of uptake were lack of budget (41%) and employee skills (40%).

However, there’s no need to spend big money, or deploy large-scale solutions to secure against data loss or leaks via USB.  Secure USB flash drives enable staff to enjoy the portability and convenience of USB without the risks, by automatically securing data copied to them. 

What’s more, these drives can add additional security features, such as anti-malware capability while being easy to use, as this review shows.

With security, it’s often the small things that count.

It looks like USB flash drives are becoming a popular vector for spreading malware.  A 4 year old worm has been reactivated and is now spreading through the use of thumb drives, according to Microsoft’s Malware Protection Center (MMPC).

According to the MMPC, the ‘Neeris’ worm is copying some of the infection strategies of Conficker.  The timing of its reappearance is also unusual, as it appeared a day before Conficker’s ‘activation’ date of 1st April.

Neeris’ makers have recently added an exploit for the MS08-067 vulnerability that Microsoft patched in October last year.  Conficker also exploits this vulnerability and became one of the biggest malware outbreaks ever, early in 2009. 

Although Neeris is not yet widespread, and its purpose and effect seems to be relatively benign at this point, it’s worth making sure that all systems are patched against the MS08-067 vulnerability, as detailed in the link above.

Hay Group, a global management consultancy, is deploying Cruzer Enterprise secure USB flash drives and Central Management & Control (CMC) software to help protect confidential business and client data.

The company’s UK operation wanted to extend data security to cover USB flash drives, and add further protection for third-party data and internal files against loss or theft while its consultants are away from the office.  The company also plans to deploy SanDisk’s Central Management & Control (CMC) software to manage the lifecycle of the drives.
 
Gary Spokes, Hay Group’s data protection officer said:  “Intellectual property is our business – and clients rely on our confidentiality.  As part of our ongoing drive to improve data security, we identified the increasing use of USB memory sticks by our consultants.  We wanted a solution that kept the convenience of the drives, while ensuring data was fully protected.”
 
Hay Group UK IT manager Parminder Bharj added:  “The CMC software was a key factor for us, as it synchronizes with Active Directory to ensure adherence to our data security policies.  For example, we can ensure users can only set complex passwords, and terminate drives that are lost or stolen.  It lets users get on with their work without having to worry about data being secured.”