Tips to help your organization keep confidential information confidential and comply with regulations
The best time to develop an encrypted USB plan is before you need to prove you had one — incorporate encrypted USB Flash drives and policies into your organization’s overall security strategy.
Have a contingency plan in place for recovering lost drives.
NOTE: If you don’t have a plan in place for encrypted USBs and guidelines, you have nothing to build on and your organization is at risk at every level — including failure to comply with regulations. Do a simple Google search on data loss involving non-encrypted USBs and you’ll see organizations that did not have a solid plan.
Select the correct USB Flash drive that fits your organization’s needs. Recommended actions would be to:
Determine the reliability and integrity of USBs by confirming compliance with leading security standards and ensuring that there is no malicious code on them.
Understand the many options available that balance corporate needs for cost, security and productivity. Ensure you have the right level of data security for the right price. If you don't need military-grade encryption, don't pay for it.
Work with your purchasing department if you need to and get the support from executive management.
NOTE: If you don’t do your homework, your initiatives may by more challenging to implement and difficult to justify. Simple analysis of what your organization needs and knowing there’s a range of easy-to-use, cost-effective, encrypted USB Flash drive solutions can go a long way toward enabling your organization, and your end users, to get a handle on the issue.
Establish a training program that educates employees on acceptable and unacceptable use of USB Flash drives.
Walk users through actual breach incidents and other negative consequences that occur when using non-encrypted USBs.
Get HR and senior management involved to support your USB data security initiatives. All new employees should be trained as part of the company introduction.
Create a trade-in-program. Engage employees by having them trade their personal USBs or those that they use for business or as storage devices that were acquired at trade shows, etc. for company-authorized USB drives.
NOTE: If you don’t train and educate end users, you don’t have a tightly sealed data leak prevention strategy and you’re more prone to be breached. A recent Ponemon USB security study* found that 72% of employees use free drives from conferences and tradeshows, business meetings, etc. — even in organizations that offer ‘approved’ USB options.
Institute policies for the proper use of electronic portable storage media, including USB Flash drives. Start by:
Identifying those individuals and groups needing access to and/or download sensitive and confidential data on encrypted USB drives and set a policy that allows them access.
Documenting policies for IT teams and end users
Mandating that all employees attend training and sign an agreement post-training so they understand the acceptable use policies and the implications of not following guidelines.
NOTE: If you don’t have the right policies in place for all to follow, USB drives can potentially be the downfall of your data security strategy. Setting a policy is the first step but it’s an incredibly important one. Underscoring the need to establish and enforce USB policies, the Ponemon study results revealed that nearly 50% of organizations confirmed having lost drives containing sensitive or confidential information in the past 24 months.
Provide employees with approved, encrypted USB Flash drives for use in the workplace. Approved Flash drives should have the following features:
Proven hardware-based encryption using Advanced Encryption Standard (AES) 256. Hardware-based security provides portability and superior encryption over host-based software encryption.
User storage space should be 100% encrypted. No non-secured storage space should be provided.
Hardware-based password authentication that limits the number of consecutive wrong password attempts by locking the devices when maximum number of wrong attempts is reached.
NOTE: If you don’t provide encrypted USBs and implement policies that allow end users to be productive, employees usually find a way to work around these security systems out of necessity.
Use device-level management software to manage USB Flash storage devices. Centralized device-level management software allows for drive control over LAN and Internet connections and is an excellent tool for:
Establishing and enforcing encrypted USB usage policies on an individual and/or group basis.
Auditing file activity to better track data moving in and out of your organization.
Providing remote content backup for users who transport critical data.
Remotely disabling devices when lost or compromised and remote password reset when forgotten.
NOTE: If you do not manage authorized drives, sensitive data can be copied onto these devices and shared with outsiders and your organization is the next statistic for data loss or theft.
To ensure that your data is safe, it should be encrypted before being sent out via email or saved on removable storage devices.
For organizations in which confidential or sensitive data is part of your business such as financial, healthcare, government, etc., encryption is the most trustworthy means of protection.
Following the above will provide a “safe harbor” from penalties related to data loss disclosure regulations.
NOTE: If you don’t encrypt data before it’s saved on USB drives, hackers can bypass your anti-virus, firewall or other controls, and that information is vulnerable.
Ensure endpoint-host computer systems are equipped with up-to-date anti-virus software.
Consideration should be given to software programs that provide protection against malware on the USB device when used in non-corporate controlled PCs.
NOTE: New threats emerge every hour or less, and can come from anywhere — email, websites and removable media like USB drives and CDs. Up-to-date anti-virus software is critical for keeping your network safe from known and unknown threats.