Secure USB Drive

When a high-profile data loss occurs, it’s always easy for an organisation to blame an individual for breaching security policies and processes.  But is it helpful?  Does it solve the issue?  In some cases, the blame game can divert attention away from the real issue that caused the security breach – and making it more likely that it could happen again.

This is a point highlighted in this article from UK title Computer Weekly.  It references two recent cases of USB thumb drive losses that affected on the UK Government.

The first, in November 2008, was when an IT analyst from a computer management firm left a memory stick in a pub car park that had confidential pass codes to the online Government Gateway system. The memory stick was found, but passed on to the UK’s Daily Mail newspaper.  This led to the UK government temporarily closing the online Government Gateway, while it probed the breach.

The second was the loss of a thumb drive by an employee of PA Consulting.  The drive contained data on 84,000 criminals. 

Both losses were blamed on the individual and the breach of policy – but the question is, did the organisations concerned also review why the employee was able to download this data, unsecured, in the first place? 

So it’s not enough to blame an individual for the mistake.  Policies must be reviewed – and enforced by solutions, such as issuing staff with secure USB flash drives, that feature mandatory encryption.  This way, losses can be contained without blame for either staff or individuals.