As anybody reading the headlines knows, USB flash drives, along with CD/DVD optical disks are getting lost, misplaced or stolen every day. These devices often contain sensitive data not secured by accepted practices like password-protected
Even if no actual harm comes from the mislaid data, the mere fact that unsecured data has been put at risk can lead to substantial fines and penalties. And these dangers and penalties apply to companies of all sizes, even small-midsized businesses (SMBs) that may not have the IT resources to devote to complex security measures.
While there's no easy way to prevent these small but multi-gigabyte-bearing items from going astray, there are easy -- and affordable -- ways ensure that employees secure sensitive data before it leaves the premises.
Here are some tips for securing data on mobile media:
Tip 1: Understand what sensitive data is, and why it needs to be protected:.
- What constitutes sensitive data can range from personal employee or customer information, to company trade secrets, customer contact/sales databases, product pricing and other competitive data.
- Why does it need to be protected? Regulations, such as Sarbanes Oxley, HIPAA and other industry/government compliance rules dictate that certain data be properly maintained; a breach or any other form of non-compliance may entail significant financial penalties. The potential impact of data loss to company productivity, finances, reputation and so forth, should also be considered.
Tip 2: Identify what data your employees want to carry, and why:
- You should determine who (employee, contractor, customer, prospect, etc.) wants to carry data offsite, how much, to where and when. How much sensitive data is involved? Who will need access to this data? Will they need to work offline (e.g., on a plane)?
- Will employees only be carrying copies of data from the office, or also creating or capturing new data that should also be protected?
- How much auditing or control do you want regarding USB flash drive use, e.g., what files are downloaded, remote password reset, remote "kill" (delete data)?
- How much security management is your company's IT staff prepared to do? How much are you prepared to budget for them, or for third-party services?
Tips 3 & 4: Create a policy regarding out-of-office data and select products to implement it:
These two steps need to be done together, since the policies put in place will determine which products to consider. The products you select also may define/constrain the policies you can mandate.
- Create a "data out-of-office" policy, including what data is/isn't allowed to leave the premises and procedures for reporting a lost/missing drive.
- Decide who will be responsible for provisioning devices; e.g., will the company buy and provide all devices? Are users allowed to use their own USB drives to carry company data? May users put personal files on company USB drives?
- Publicize these policies -- post on bulletin boards and require that each employee sign a copy for their personnel file, before being given a company flash drive.
Tip 5: Test and train.
Make sure employees know how to secure and access data -- have training sessions.
Be sure to try the "limited number of password tries" software so you know how it works (using a copy of test data).
Flash drive and software vendors offer data security solutions for SMBs
Vendors offering secure USB flash drives include IronKey, Kingston Technology Corp., SanDisk Corp. and Verbatim. Some are whole-drive-secured; others allow a private (secured) and public (unsecured) partition. Other features may include rugged design and tamper-proof hardware; remote manageability and management/logging software and/or compatibility with third-party tools; FIPS 140-2 certified versions; and/or managed services for password backup, device management, etc.
Software products are also available, some of which may also handle media cards, external hard drives and even CD/DVD optical disks.
Software vendors offering the ability to do file/folder, public/private partition and/or full-device encryption include PGP Corp. and RSA Security. Open-Source encryption tools include TrueCrypt and Toucan. Security software is also available for U3 SmartDrive USB flash drives. GFI EndPointSecurity is an example of endpoint management software for USB flash drives and other devices.
The most important thing any SMB can do to protect its sensitive data is to ensure that the selected product is actually used. This requires employee education and some degree of enforcement. Make sure that you have central copies of passwords, especially if new data is being collected out of the office.
Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.
Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about
writing for SearchSMBStorage.com.
This was first published in September 2008