It’s been reported today that the UK security service, MI5 has accused China of bugging and initiating acts of espionage on UK business executives, to obtain sensitive commercial secrets.

The story, from a leaked MI5 document says that undercover intelligence officers from China’s People’s Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of “gifts”. The gifts — such as USB memory sticks and other digital media — have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users’ computers.

This is yet another example of the use of innocuous-looking devices in an attempt to harvest sensitive or confidential data. The best advice to protect your PC and corporate networks is to use only authorised, secure flash drives, preferably with on-board anti-malware scanning capability, and lock out unauthorised devices. After all, Trojan horses are no longer larger than life and made of wood.

We have posted about this a little earlier this year, but it’s worth mentioning again that the UK Information Commissioner’s Office, which is the data watchdog for the UK Government, continues to take tough measures with public sector organisations that have suffered data breaches.

Most recently, a UK healthcare organisation misplaced 3 unsecured USB flash drives with confidential patient details, and has signed an undertaking confirming that the Trust will take a number of steps to ensure personal data is kept securely.
 
The Assistant Commissioner at the ICO said: “I urge all NHS organisations to restrict and encrypt the amount of sensitive information stored on portable devices. In this case, our investigation found that there was a lack of understanding and awareness among staff of their responsibilities under the Data Protection Act.”

This is good practice, and a good argument for deploying secure USB flash drives.

In one of the UK’s biggest public-sector data leaks of 2008, the Home Office lost the details of all of the prisoners in UK jails.  The data was on an unsecured USB flash drive that was lost by contractor PA Consulting, as we’ve discussed on this blog earlier this year.

There’s now been a major new development on this data loss.  According to the Government department’s newly released Resource Accounts for 2008-09 (PDF at link), the USB memory stick contained more than just prisoner data.  It also had UK Police National Computer information, making a total of 377,000 records, 250,000 more than originally reported.

As mentioned previously, after the original data breach, the Home Office terminated its contract with PA Consulting, and carried out “a full review of the system and procedures” that led to the breach. 

This example shows just how serious the fall-out can be from a single lost device.  All the more reason to remove the risk of data loss entirely, by using secure USB flash drives.

The UK Ministry of Defence’s latest resource accounts (PDF at link) show that the department suffered eight serious data breaches from 2008 to 2009, compared with just two in the preceding year.

The biggest incident was the loss of a portable hard disk from a contractor’s premises, which contained the names, passport information and bank account details of an estimated 1.7 million service personnel.

Others included the theft of three USB sticks from “secure government premises”, which contained details of all RAF service personnel who served between 2002 to 2008 and details of family members. 

As with the data loss incidents involving HSBC we mentioned recently, the Ministry says it has launched a campaign to educate staff about the importance of data security, together with training courses on protecting information.  These are good signs.  But training alone isn’t enough – security demands a mix of policies and solutions in order to be effective.  There is still some way to go before we reach the target of true security for all personal data.

The UK Government is making giant strides in tightening up data security, and in public disclosure of security breaches, following the high-profile losses from public bodies over the past 18 months. 

The issue is being policed strongly.  This week, the Government’s Information Commissioner issued further warnings to a number of National Health Service bodies about the importance of protecting data, with instructions for them to adhere to the UK Data Protection Act.

Five healthcare bodies were found to have breached regulations, ranging from stolen laptops, lost CDs and lost USB flash drives.  All were unencrypted and all contained potentially sensitive patient data.

It’s good news that data protection and corporate governance is being enforced at this level.  With the right combination of policies and products, everyone’s data can be kept a little safer.

With around 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12 this year, rogue employees and hackers were the major causes according to figures released this week by the Identity Theft Resource Center.

Theft by employees and hacking were each responsible for 18% of all incidents, an increase of around 10% compared with the same period in 2008.

The Center also found that 14% of breaches so far this year were due to data contained on lost or stolen digital media, such as a laptop or USB thumb drives.  That’s still a significant number – and all the more reason to consider using a secure USB flash drive solution, such as our Cruzer Enterprise range.

We often see newsflashes telling us about the latest data breach, caused by a lost thumb drive or stolen laptop.  But what happens after the initial loss?  What are the ramifications and the fall-out?

This article shows what happened after a loss of very sensitive data in August 2008, when an employee of IT contractor PA Consulting lost a USB flash drive with the details of all the UK’s 84,000 prisoners.

The contractor was working for the UK Government’s Home Office and human error led to the stick and the unencrypted data being misplaced.  The employee immediately told supervisors, who then told the UK Ministry of Justice (MoJ) and the Home Office.  Although police were brought in to search the offices and the employee’s home and car for the missing memory stick, it was never found.

The unhappy result was, the contractor lost its contract, and the employee’s and line managers’ jobs were lost too.  Home Office staff are now advised not to use flash drives.  All for a single data loss. 

The fact is, it’s impossible to stop devices getting lost or stolen.  But the risk can be mitigated – and the extensive, unpleasant fall-out stopped – by enforcing encryption on these devices.

The results from a recent international security survey showed that a majority of small & medium businesses (SMBs) felt they lacked basic security measures to protect their sensitive business data.

The top three security concerns stated by SMBs were viruses, data breaches, and loss of confidential or proprietary information through USB and other devices.

Yet one of the key findings was the low take-up of endpoint security of any kind, with well over half (56%) of the SMBs surveyed saying they had no endpoint protection deployed.  Two of the key reasons stated for this low level of uptake were lack of budget (41%) and employee skills (40%).

However, there’s no need to spend big money, or deploy large-scale solutions to secure against data loss or leaks via USB.  Secure USB flash drives enable staff to enjoy the portability and convenience of USB without the risks, by automatically securing data copied to them. 

What’s more, these drives can add additional security features, such as anti-malware capability while being easy to use, as this review shows.

With security, it’s often the small things that count.

Have you ever looked at all the data breaches that have occurred in the past 18 months, and thought “that couldn’t happen to me”?  The truth is, it can happen to anyone, and at more or less any time.

All it takes is a moment’s inattention to lose a thumb drive or disk.  And if the data on that device is not protected in any way, congratulations:  it’s your own data breach. 

To highlight that it can indeed happen to anyone, this article on Enrique Salem, president and CEO of security giant Symantec is revealing.  In it, he admits that he has personally lost a USB flash drive containing confidential information.

He also points out that certain data security features need to be automated – such as mandatory encryption, alerts to administrators in the event of protected data being accessed, and more.  This security best practice helps to ensure confidential data stays confidential. 

So if you’ve ever lost a flash drive in the past, don’t worry:  it can even happen to CEOs of security companies.  But if you think it cannot happen to you, you might want to think again.