Using and Promoting Encrypted USB Flash Drives in Your Organization

Tips to help your organization keep confidential information confidential and comply with new regulations; EU GDPR and New York’s NYDFS

Build an Encrypted USB Plan: Protect & Comply

DataTraveler Group
  • The best time to develop an encrypted USB plan is before you need to prove you had one — incorporate encrypted USB Flash drives and policies into your organization’s overall security strategy.
  • Institute an encrypted usb with the issue of an employee badge and or company laptop as standard practice of policy and orientation.
  • Have a contingency plan in place for recovering lost drives.

NOTE: If you don’t have a plan in place for encrypted USBs and guidelines, you have nothing to build on and your organization is at risk at every level — including failure to comply with regulations. Do a simple Google search on data loss involving non-encrypted USBs and you’ll see organizations that did not have a solid plan. See our recent whitepaper.

Identify the Best USB Flash Drives for Your Organization

Select the correct USB Flash drive that fits your organization’s needs. Recommended actions would be to:

  • Determine the reliability and integrity of USBs by confirming compliance with leading security standards such as, AES 256 Encryption, FIPS 197 or FIPS 140-2 Level 3and managed solution options. Kingston provides a customized option for business that require specific needs.
  • Understand the many options available that balance corporate needs for cost, security and productivity. Ensure you have the right level of data security for the right price. If you don't need military-grade encryption or casing, don't pay for it.
  • Work with your purchasing department if you need to and get the support from executive management.

100% Compliant Encrypted USB data storage

Simple, easy to use, no software or drivers needed

Designed for quick and efficient deployment

NOTE: If you don’t do your homework, your initiatives may by more challenging to implement and difficult to justify. Simple analysis of what your organization needs and knowing there’s a range of easy-to-use, cost-effective, encrypted USB Flash drive solutions can go a long way toward enabling your organization, and your end users, to get a handle on the issue to manage risks and reduce costs.

Train and Educate

Establish a training program that educates employees on acceptable and unacceptable use of USB Flash drives and Bring Your Own Device (BYOD).

  • Walk users through actual breach incidents and other negative consequences that occur when using non-encrypted USBs.
  • Get HR and senior management involved to support your USB data security initiatives. All new and current employees should be trained as part of the company orientation and ongoing training for policy standards.
  • Create a trade-in-program. Engage employees by having them trade their personal USBs or those that they use for business or as storage devices that were acquired at trade shows, etc. for company-authorized USB drives.

NOTE: If you don’t train and educate end users, you don’t have a tightly sealed data leak prevention strategy and you’re more prone to be breached. A recent Ponemon USB security study* found that 72% of employees use free drives from conferences and tradeshows, business meetings, etc. — even in organizations that offer ‘approved’ USB options.

*Ponemon Institute Study

Establish and Enforce Policies

Institute policies for the proper use of electronic portable storage media, including USB Flash drives. Start by:

  • Identifying those individuals and groups needing access to and/or download sensitive and confidential data on encrypted USB drives and set a policy that allows them access.
  • Documenting policies for IT teams and end users
  • Mandating that all employees attend training and sign an agreement post-training so they understand the acceptable use policies and the implications of not following guidelines.
Establish and Enforce

NOTE: If you don’t have the right policies in place for all to follow, USB drives can potentially be the downfall of your data security strategy. Setting a policy is the first step but it’s an incredibly important one. Underscoring the need to establish and enforce USB policies, the Ponemon study results revealed that nearly 50% of organizations confirmed having lost drives containing sensitive or confidential information in the past 24 months.

Provide Company-Approved USB Drives

Provide employees with approved, encrypted USB Flash drives for use in the workplace. Approved Flash drives should have the following features:

Company Approved
  • Proven hardware-based encryption using Advanced Encryption Standard (AES) 256. Hardware-based security provides portability and superior encryption over host-based software encryption.
  • User storage space should be 100% encrypted. No non-secured storage space should be provided.
  • Hardware-based password authentication that limits the number of consecutive wrong password attempts by locking the devices when maximum number of wrong attempts is reached.
  • Meets the FIPS standards for your industry or company needs. FIPS 197 and or FIPS 140-2 Level 3
FIPS logo   TAA logo

NOTE: If you don’t provide encrypted USBs and implement policies that allow end users to be productive, employees usually find a way to work around these security systems out of necessity.

Manage Authorized USB Drives and Blocking Unapproved Devices

Use device-level management software to manage USB Flash storage devices. Centralized device-level management software allows for drive control over LAN and Internet connections and is an excellent tool for:

  • Establishing and enforcing encrypted USB usage policies on an individual and/or group basis.
  • Auditing file activity to better track data moving in and out of your organization.
  • Providing remote content backup for users who transport critical data.
  • Remotely disabling devices when lost or compromised and remote password reset when forgotten.

NOTE: If you do not manage authorized drives, sensitive data can be copied onto these devices and shared with outsiders and your organization is the next statistic for data loss or theft.

Encrypt Confidential Data

  • To ensure that your data is safe, it should be encrypted before being sent out via email or saved on removable storage devices.
  • For organizations in which confidential or sensitive data is part of your business such as financial, healthcare, government, etc., encryption is the most trustworthy means of protection.
  • Following the above will provide a “safe harbor” from penalties and or lawsuits related to data loss disclosures following new regulations.

NOTE: If you don’t encrypt data before it’s saved on USB drives, hackers can bypass your anti-virus, firewall or other controls, and that information is vulnerable. IronKey drives implement an “On-Device Cryptochip” for an additional layer of protection.

Certify Anti-Virus Protection is Present at Every Entry Point

  • Ensure endpoint-host computer systems are equipped with up-to-date anti-virus software.
  • Consideration should be given to software programs that provide protection against malware on the USB device when used in non-corporate controlled PCs.

NOTE: New threats emerge every hour or less, and can come from anywhere — email, websites and removable media like USB drives and CDs. Up-to-date anti-virus software is critical for keeping your network safe from known and unknown threats.