Updated April 2nd, 2019
How many USB flash and thumb drives have you owned in your life? Counting giveaways from conferences and trade shows, I would estimate my number would be well north of 30.
Of that total, how many could you easily locate? Three? Maybe four? USB drives are so small, cheap and replaceable that they have essentially become disposable. These days, you don’t own USB drives, you rent them.
So back to those you’ve lost track of. Were they completely wiped before leaving your care or simply deleted? Ideally, old USB drives should be shredded, but that rarely happens. Like me, you have likely either lost or misplaced those portable devices over time and thought little of it.
Think it can’t happen?
Take the Canadian Government as a prime example. In 2013, Human Resources and Skills Development Canada (HRSDC) announced that an employee had lost a portable drive containing the financial and loan information (including names and social insurance numbers) of over half a million Canadians. Read more coverage on that story here. This news followed a similar announcement in December in which that same department lost a drive holding 5,000 individuals’ personal information.
More recently, in 2017, MAPFRE Life Insurance Company paid a $2.2 million HIPAA breach settlement after a flash drive that contained confidential health information from over 2,200 people was stolen. Read more.
Risks associated with lost USB drives aside, there are still numerous other security measures to be addressed. Data left on missing drives is a threat, but so is the potential for an employee to introduce a packet sniffer, keyboard logger or some other malicious program to their computer – unknowingly or not.
It would be easy to dismiss this as a problem with inattentive civil servants, but that simply is not the case. While training regarding the dangers of data loss is certainly warranted for any groups that handle confidential information, it is the medium (USB drives, thumb drives – portable storage devices in general) that is flawed. While great for the transfer of family photos, portable devices simply aren’t suitable for moving confidential information around.
Is there a better way?
Many organizations now lock down employee computers to prevent the use of USB drives. More progressive companies also conduct security audits and provide mandatory company-wide training on data loss risks and prevention. It’s a good start, but lacks the offering of an alternative that proves equally or more convenient for employees.
Employees use USB drives in an attempt to perform efficiently. Banning their use, but failing to provide another option for data transfer only invites them to find a work-around. We recently discussed this topic further in File Sharing at the Enterprise Level: 3 Steps IT Departments Should Take. Check it out to learn more.