You won’t be GDPR compliant without addressing USB data loss
- 30 August, 2017 12:46
Many Australian companies have been caught offguard by the fast-approaching deadline for compliance with the European Union’s general data protection regulation (GDPR), which imposes new data-security requirements on any organisation handling the personal data of EU citizens – no matter where they are located.
Given that few companies take detailed citizenship histories of their customers before storing customer data, every Australian company risks inadvertently falling afoul of the new laws – which take effect in May 2018 and will carry potential penalties of 4 percent of global revenues, up to a maximum of €20m ($A29m).
To avoid what has been called an “existential threat” from noncompliance penalties, businesses of every size must review and tighten their data collection and security policies to ensure they tightly secure customers’ private data from the moment it is collected.
This includes both security of data at rest on company and cloud-based servers, as well as ensuring data remains protected even if copied by employees – whether with malicious intent or for convenience’s sake – onto portable media such as USB drives.
The accidental insider threat. Fully 25 percent of data breaches examined in Verizon’s Data Breach Investigation Report (DBIR) 2017 were related to actions by internal actors, while other research by Forrester Research put the figure as high as 39 percent. Many of these are due to human error, often involving the loss or theft of USB drives containing sensitive information.
Such loss is extremely common: USB drives can be left in taxis, dropped on the street, swiped by other employees or contractors, or disappeared in any other number of ways. One study suggested that 22,000 USB drives are left at the dry cleaners’ every year.
One recent survey of UK government agencies, for example, found that the country’s Ministry of Defence alone lost 328 CDs, DVDs, and USB drives. And in 2015, a Bank of Barclay employee lost a USB drive with sensitive data about 13,000 customers – costing the bank £500,000 ($A820,000) in compensation.
Once found, those USB drives are likely to be looked at: anecdotal evidence suggests 75 percent of discovered USB drives will be plugged in by curious outsiders – potentially exposing sensitive personal and company data to complete strangers.
Recognising that USB loss is a potentially damaging vector for data loss, many companies are implementing visibility tools that allow them manage the use of USB drives centrally. These tools detect the usage of USB drives – potentially blocking the movement of data onto drives that can easily compromise 128GB or more of sensitive corporate data in a heartbeat.
A complete ban on USB drives has been entertained by some, but there are many legitimate uses for USB drives and many employees continue to favour their use for moving large files, or data they want to keep with them. Backups are also recognised as a strong protection against ransomware attacks and can be critical in recovering from business interruption.
Given that the use of USB drives is an inevitability, many companies are instead developing policies around the use of USB drives – something that one Spiceworks survey found in place at 80 percent of organisations. Many require employees to use self-encrypting USB storage – such as Kingston Technologies’ IronKey and DataTraveler – that actively cater to data-protection requirements by protecting sensitive data while it’s mobile.
Such drives offer key advantages in the storage and movement of sensitive data. First and foremost, their built-in encryption ensures that even if USB drives are lost, the data they contain cannot be read by anybody other than the authorised user. Second, their management capabilities allow detailed monitoring of data movement that can help identify weak spots in network defences that could potentially lead to data compromise.
This ensures protection in line with the requirements of GDPR, as well as other critical legislation such as the Notifiable Data Breaches (NDB) scheme and PCI DSS, which will both hit Australian companies with even tighter restrictions on private data protection in 2018.
Surveys have repeatedly identified weaknesses in Australian companies’ preparation for these regulations, and the triple threat is likely to create major problems for those that are still unprepared when the regulations come into effect.
Given the ubiquity of USB drives in today’s enterprises, this key threat vector must be brought under control well before the compliance deadlines roll by. By making an active effort to evaluate and manage the company’s exposure to USB drive compromises, Australian businesses can take a big step towards demonstrating to their customers – whether EU citizens or not – that their data is safe no matter how it’s used.
EU GDPR will be enforced on 25 May 2018. Now is the best time to re-examine company security policies with a secure USB drive free-trial program.