So it’s Monday morning and you need to get to the office, but you only have odd socks in your draws. Where have the matching socks gone?
I have a theory that there are little people living under our houses that run around collecting ‘odd-socks’, to save us from the err of becoming too predictable and symmetric. I call them “the Collectors”. They don’t only collect odd-socks, they collect hair clips, pens, and here is where the information security bit comes in… USB memory sticks, commonly referred to as ‘thumb-drives’.
How else can we explain where our USB sticks disappear to? How many have you purchased or acquired in the last 10 years? Where are they now? Fortunately for us “the Collectors” are not interested in what is contained within this little plastic sticks, so it really is not a concern to us security conscious individuals. Or is it? Because although it really is no big deal if you turn up at the office with odd socks, it has become pretty cool nowadays. The memory sticks are a bit tricky. How much data is stored on them and is some of this personal data?
But what is personal data? This is difficult. Nowhere has a clear definition of personal data been stated, although Personal Identifying Information (PII) and sensitive data has been defined. In the EU even the IP address is classed as PII. The problem is that data can be combined from different data sources to become identifying data, that could be on one or more of yours, or your employees’ memory sticks.
The new EU Data Protection Regulation due out December this year, potentially January 2016, will have the power to impose fines on those companies that lose personal data. Numbers we have at the moment is between 2% and 5% of revenue for each data loss. In public sector the fines will be fixed. What this means is that when one of your employees loses one of their memory sticks your company is liable to the consequences.
So what’s the solution? Well this is what is rather nice, it is simple when it pertains to data that is stored on movable persistent storage, e.g. memory stick.
- Request all your employees to turn in their memory sticks;
- Destroy them, securely;
- Replace with an encrypted stick, that has a simple PIN code build in;
- Enforce the use of encrypted sticks using a Port-LOCK functionality found in most virus scanning packages today that is often not implemented;
- Log all data that is copied to and from USB devices.
This is not difficult to implement, and pretty inexpensive. This mitigation will block one of the main channels/threat vectors for data loss in your organization.
You could of course just keep hoping that it is ‘the Collectors’ who have all of your mislaid memory sticks in your organization? If I am right about that too…. but I wouldn’t believe me, if I were you ;-)