A USB memory stick containing highly sensitive Heathrow security data, including details of the Queen’s route to the airport and her security measures, was found lying in the street over the weekend. IT security experts commented below.
Geoff Webb, Vice President, Product Marketing and Solutions Strategy at Micro Focus:
“It’s definitely not the first time that a lost USB stick has turned up with sensitive information on it. The fact that it was unencrypted is obviously the concern – many organisations have clear policies in place to ensure that information is encrypted wherever it is stored, including on removable media. More broadly, the ability to quickly copy and move very large amounts of data means that encryption will increasingly need to be a standard part of business risk management strategy in order to control access to sensitive information like this. It’s simply too easy to copy information and walk out the door with it (or move it up to a cloud file sharing service) and if the information isn’t encrypted, the potential for loss is significant.”
“The EU is moving toward a remarkably strong data privacy regulation. There is nothing in the works in the US that will provide equivalency to the EU GDPR which goes into effect this coming May 25. My take for EU businesses that need to engage with US data processors is not to trust them. For that matter you should never trust any organization that handles your data. You should encrypt that data as soon as possible. You should store and protect the encryption keys. And you should be able to systematically erase any data at any time in any place.
Once again, we are reminded that data, even secret data, will find a way out. Every organisation sacrifices security for convenience and transporting collections of documents via USBstick is super convenient. As a matter of fact, many organisations, even the US Department of Defense, segment their networks so there is no easy way to transmit files between secured facilities. Thus, USB thumb drives are turned to and it is no surprise that one of them fell out of someone’s bag.
Fixing this problem is not easy but the requirements are well known. It is a combination of data management, where classification and appropriate access controls are put in place. Of course, encryption plays a big role in protecting data. But controlling how USB devices are used is another aspect. Endpoints should be locked down so that the USB ports are strictly controlled and monitored. Only approved devices should be allowed to be inserted and those should always be encrypted.
Another aspect to worry about when doing a complete data audit is where does the data end up? Are there copies of secret documents all over? Those should be sanitized. A comprehensive data santization policy and plan can address the trillions of gigabytes of so called “dark data” that resides in organizations around the world.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.