Using and Promoting Encrypted USB Flash Drives in Your Organization

Tips to help your organisation keep confidential information confidential and comply with new regulations; EU GDPR and New York’s NYDFS

Build an Encrypted USB Plan: Protect & Comply

  • The best time to develop an encrypted USB plan is before you need to prove you had one – incorporate encrypted USB Flash drives and policies into your organisation’s overall security strategy.
  • Provide an encrypted USB when you issue an employee badge and/or company laptop as standard practice.
  • Have a contingency plan in place for recovering lost drives.

NOTE: If you don’t have a plan in place for encrypted USBs and guidelines, you have nothing to build on and your organisation is at risk at every level – including failure to comply with regulations. Perform a simple Google search on data loss involving non-encrypted USBs and you’ll find organisations that did not have a solid plan. See our recent whitepaper.

Identify the Best USB Flash Drives for Your Organisation

Select the correct USB Flash drive that fits your organisation’s needs. Recommended actions would be to:

  • Determine the reliability and integrity of USBs by confirming compliance with leading security standards such as AES 256 encryption, FIPS 197 or FIPS 140-2 Level 3 and managed solution options. Kingston provides a customised option for businesses with specific needs.
  • Understand the many options available that balance corporate needs against cost, security and productivity. Ensure that you have the right level of data security for the right price. If you don't need military-grade encryption or casing, don't pay for it.
  • Work with your purchasing department if you need to and get support from executive management.

100% Compliant Encrypted USB data storage

Simple, easy to use, no software or drivers needed

Designed for quick and efficient deployment

NOTE: If you don’t do your homework, your initiatives may be more challenging to implement and difficult to justify. Simple analysis of what your organisation needs and knowing there’s a range of easy-to-use, cost-effective, encrypted USB Flash drive solutions can go a long way toward enabling your organisation, and your end users, to manage risks and reduce costs.

Train and Educate

Establish a training programme that educates employees on the acceptable and unacceptable use of USB Flash drives and Bring Your Own Devices (BYOD).

  • Walk users through actual breach incidents and other negative consequences that occur when using non-encrypted USBs.
  • Get HR and senior management involved to support your USB data security initiatives. All new and current employees should be trained as part of the company orientation and receive ongoing training on policy standards.
  • Create a trade-in-programme. Engage employees by providing company-authorised USB drives in exchange for personal USBs or USBs acquired at trade shows, etc that they use for business or as storage devices.

NOTE: If you don’t train and educate end users, you don’t have a tightly sealed data leak prevention strategy and you’re more prone to be breached. A recent Ponemon USB security study* found that 72% of employees use free drives from conferences and tradeshows, business meetings, etc. – even in organisations that offer ‘approved’ USB options.

*Ponemon Institute Study

Establish and Enforce Policies

Institute policies for the proper use of electronic portable storage media, including USB Flash drives. Start by:

  • Identifying those individuals and groups that need access to and/or download sensitive and confidential data on encrypted USB drives and set a policy that allows them access.
  • Documenting policies for IT teams and end users
  • Mandating that all employees attend training and sign an agreement post-training to confirm that they understand the acceptable use policies and the implications of not following guidelines.

NOTE: If you don’t have the right policies in place for all to follow, USB drives can potentially be the downfall of your data security strategy. Setting a policy is the first step, but it’s an incredibly important one. Underscoring the need to establish and enforce USB policies, the Ponemon study results revealed that nearly 50% of organisations had lost drives containing sensitive or confidential information in the past 24 months.

Provide Company-Approved USB Drives

Provide employees with approved, encrypted USB Flash drives for use in the workplace. Approved Flash drives should have the following features:

  • Proven hardware-based encryption using Advanced Encryption Standard (AES) 256. Hardware-based security provides portability and superior encryption over host-based software encryption.
  • User storage space should be 100% encrypted. No non-secured storage space should be provided.
  • Hardware-based password authentication that limits the number of consecutive wrong password attempts by locking the devices when the maximum number of wrong attempts is reached.
  • Meets the FIPS standards for your industry or company needs. FIPS 197 and or FIPS 140-2 Level 3
FIPS logo   TAA logo

NOTE: If you don’t provide encrypted USBs and implement policies that allow end users to be productive, employees usually find a way to work around these security systems out of necessity.

Managing Authorised USB Drives and Blocking Unapproved Devices

Use device-level management software to manage USB Flash storage devices. Centralised device-level management software allows for drive control over LAN and Internet connections and is an excellent tool for:

  • Establishing and enforcing encrypted USB usage policies on an individual and/or group basis.
  • Auditing file activity to track data moving in and out of your organisation better.
  • Providing remote content backup for users who transport critical data.
  • Remotely disabling devices when lost or compromised and performing remote password resets when forgotten.

NOTE: If you do not manage authorised drives, sensitive data can be copied onto these devices and shared with outsiders, making your organisation the next statistic for data loss or theft.

Encrypt Confidential Data

  • To ensure that your data is safe, it should be encrypted before being sent out via email or saved on removable storage devices.
  • For organisations in which confidential or sensitive data is part of your business, such as in the financial, healthcare and government sectors, encryption is the most trustworthy means of protection.
  • Following the above will provide a “safe harbour” from penalties or lawsuits related to data loss disclosures following new regulations.

NOTE: If you don’t encrypt data before it’s saved on USB drives, hackers can bypass your anti-virus, firewall or other controls, and that information becomes vulnerable. IronKey drives implement an “On-Device Cryptochip” for an additional layer of protection.

Certify Anti-Virus Protection is Present at Every Entry Point

  • Ensure endpoint-host computer systems are equipped with up-to-date anti-virus software.
  • Consideration should be given to software programs that provide protection against malware on the USB device when used in non-corporate controlled PCs.

NOTE: New threats emerge every hour or even more frequently, and can come from anywhere – email, websites and removable media such as USB drives and CDs. Up-to-date anti-virus software is critical for keeping your network safe from known and unknown threats.