We saw in 2008 and 2009 how worms came back to prominence, thanks to the wide spread of Conficker and its variants. A timely reminder that the threat is still high was given last week, when Google revealed a highly sophisticated series of cyberattacks originating from China that stole some of its intellectual property and affected about 30 other Silicon Valley companies.

This recent attack shows how malicious software has evolved into an advanced weapon that can specifically target companies – even companies as advanced as Google – with the aim of gaining a financial or competitive advantage.

Attackers will try any method available to seed the malware onto a company network, including infecting USB flash drives and distributing them at events, or “losing” them in car parks for unwitting employees to find. That’s why latest-generation secure flash drives, such as our own Cruzer Enterprise range, can also feature onboard anti-malware scanning to nullify this threat.

The UK Government’s former Information Commissioner, Richard Thomas, was recently interviewed by SC Magazine. It makes a very interesting read, especially on what Thomas describes as “politicians, senior civil servants and managers … not understanding the technologies and the risks.”

It also gives an insight into plans to introduce stronger powers for the Information Commissioner’s Office, such as increased notification fees for data breaches for larger organisations, new powers of inspection and much stronger sanctions against companies that have experienced breaches.

New sanctions are also planned to be introduced from next year when ‘a company or government department deliberately or recklessly ignore data protection requirements, and cause serious harm, then they will face a civil penalty’. Thomas explains that this will affect anyone who is a data controller, and there are over 300,000 of them in the UK.

All the more reason for organizations to evaluate their approach to portable data security – and take appropriate action to secure critical information.

Torbay Care Trust, an integrated community health and adult social care organisation in the South West of England, has chosen our Cruzer Enterprise secure USB flash drives to help protect mobile data stored on the drives from unauthorized access.

The organisation has purchased and rolled out 1000 Cruzer Enterprise flash drives. The drives will be issued to and used by all staff members, in particular those employees working remotely or transferring data between sites.
 
“We decided to deploy an encrypted USB solution across the Trust as data security breaches have become a national concern,” said Sue Fankhauser, IT buyer for Torbay Care Trust. “Our IT department felt that it was necessary to employ a best-practice solution to protect data against any potential threats and to reassure the public that patient data is secured. After evaluating numerous encrypted flash drives, we chose the Cruzer Enterprise flash drive because it met all of our security requirements.
 
“We also asked SanDisk to send us the USBs without any unnecessary packaging - which they were more than happy to do. As well as being environmentally friendly, this produced no waste at our end, helping to support our eco-friendly policies.”
 
Recent data security breaches within other Government organisations have led to calls for greater data security with transportable media devices, such as data sticks, and by deploying the SanDisk drive, Torbay Care Trust feels it is setting the standard for others to follow.

Earlier this week, another UK Health Service body suffered a data breach when a member of staff lost an unencrypted pen drive.  The drive contained the details and medical records of thousands of patients, including patients’ names, addresses, dates of birth, hospital and national insurance numbers and details of their medical treatment.
 
The data had been downloaded against data handling regulations, and has not been found as yet, forcing the organisation to make a public apology and write to all the patients whose details have been lost. 

This is in contrast to a similar UK health organisation which deployed SanDisk’s secure USB flash drives to all its key staff, to secure mobile data and protect against just this type of breach.  By using the Cruzer Enterprise drives, data is encrypted without the user being able to tamper with the process, and without affecting drive performance or usage.  This makes it a win-win both for the organisation and for the users.  An altogether healthier approach to security.

According to a new report, just 27% of the Ministry of Defence’s IT systems meet the Government’s own data security standards, following a review. 

 The Government developed tough data handling sanctions in summer 2008 following a series of high profile data breaches from public sector organisations. 

 Under the new security measures, any USB flash drive, disk drive or laptop containing sensitive information has to be encrypted if it is to be taken out of Government offices - which is a significant, but achievable task, especially if secure thumb drives are used.

 To highlight just how vulnerable an unsecured flash drive is, in summer 2008, the MoD admitted that it had lost 658 laptops and 121 USB memory sticks since 2004 - with some of those lost drives containing military information classed as “Secret”.  So, securing USB drives is a vital first line of defence against data losses.

A new report has confirmed what we already suspected:  2008 was the worst year yet for data losses and breaches. 

 The US-based Identity Theft Resource Center (ITRC) has announced there were 646 data breach incidents reported in 2008, a 47% increase over 2007, which was the previous record for the most breaches in a single year.

 The ITRC believes the increase is partly a result of wider use of unsecured USB drives and other portable storage media.  These were the biggest type of incident, accounting for 135 breaches - more than the 91 hacking incidents, or the 95 cases of accidental distribution of data publicly on the Internet.

 Many of these breaches could have been prevented, simply by using secure memory sticks with mandatory encryption to protect data on the move.  And ‘insider’ breaches - where employees take data for unauthorised use - can be tracked and quickly addressed with the right type of centralised management software.

 Is it too much to hope that 2009 will see a reduction in data breaches, for a change?