A USB memory stick containing highly sensitive Heathrow security data, including details of the Queen’s route to the airport and her security measures, was found lying in the street over the weekend. IT security experts commented below.
Geoff Webb, Vice President, Product Marketing and Solutions Strategy at Micro Focus:
“It’s definitely not the first time that a lost USB stick has turned up with sensitive information on it. The fact that it was unencrypted is obviously the concern – many organisations have clear policies in place to ensure that information is encrypted wherever it is stored, including on removable media. More broadly, the ability to quickly copy and move very large amounts of data means that encryption will increasingly need to be a standard part of business risk management strategy in order to control access to sensitive information like this. It’s simply too easy to copy information and walk out the door with it (or move it up to a cloud file sharing service) and if the information isn’t encrypted, the potential for loss is significant.”
Richard Stiennon, Chief Strategy Officer at Blancco Technology Group:
“The EU is moving toward a remarkably strong data privacy regulation. There is nothing in the works in the US that will provide equivalency to the EU GDPR which goes into effect this coming May 25. My take for EU businesses that need to engage with US data processors is not to trust them. For that matter you should never trust any organization that handles your data. You should encrypt that data as soon as possible. You should store and protect the encryption keys. And you should be able to systematically erase any data at any time in any place.
Once again, we are reminded that data, even secret data, will find a way out. Every organisation sacrifices security for convenience and transporting collections of documents via USBstick is super convenient. As a matter of fact, many organisations, even the US Department of Defense, segment their networks so there is no easy way to transmit files between secured facilities. Thus, USB thumb drives are turned to and it is no surprise that one of them fell out of someone’s bag.
Fixing this problem is not easy but the requirements are well known. It is a combination of data management, where classification and appropriate access controls are put in place. Of course, encryption plays a big role in protecting data. But controlling how USB devices are used is another aspect. Endpoints should be locked down so that the USB ports are strictly controlled and monitored. Only approved devices should be allowed to be inserted and those should always be encrypted.
Another aspect to worry about when doing a complete data audit is where does the data end up? Are there copies of secret documents all over? Those should be sanitized. A comprehensive data santization policy and plan can address the trillions of gigabytes of so called “dark data” that resides in organizations around the world.”