Portable flash drives also called thumb drives, USB drives or memory sticks have become commonplace. They offer high capacity data storage and portability of information between computers easily plugging into USB or FireWire ports. Flash drives have become novelty giveaways at trade shows containing marketing material or other information the presenter wishes to convey. USB drives offer convenience but they don’t come without some potential security risks to your business .
So you now can carry around terabytes of data in your pocket, that’s great but it also means you can easily misplace the data stored on the device. Considering your line of business and what you or your or your employees might store on the drive you may have regulatory issues to address.
While covered entities (organizations that maintain regulated information) need to report lost or stolen computers containing personal and private information such as social security numbers or healthcare information, or other sources of data leakage, the same holds true for portable data storage devices. Not only do these requirements apply to your business they also apply to any business partner you might engage to work with protected information on your behalf.
Earlier this year a small Massachusetts physician practice was fined $150,000 after the theft of an unencrypted USB flash drive containing the medical records of 2200 patients from an employee vehicle. The fine was levied principally due to the failure of the organization to have conducted a risk assessment in using flash drives and putting in place proper data handling and notification procedures.
Hackers write custom viruses that target USB drives as the threat is easily ported between computers by simply plugging the device into its USB port. Making certain that anti-virus software is up to date and that flash drives are scanned when plugged into a computer is essential to blocking such threats. Some organizations go so far as to turn off the USB ports on their computers to stop viruses from being imported via employee USB memory sticks.
So what should an organization do to protect itself? Here are some recommendations:
- Consider if USB or other portable drives should be utilized within the business.
- If so, is this a necessity or more of a convenience and are there other ways to produce the same outcome?
- Consider what data is permissible to be stored on flash drives and who within the organization may do so.
- Develop policies and procedures that cover acceptable use, storage, handling and notification procedures should a drive come up missing. Share these documents within the organization and hold your employees responsible for following them.
- Encrypt sensitive data stored to memory sticks. The best encryption is hardware based and not all memory sticks are the same. You can get more information here on the best devices.
- Password protect thumb drives and consider using tamper proof devices that can overwrite the contents if a maximum number of password attempts is reached or the device case is tampered with.
- Maintain all computer based antivirus software and scan all thumb drives as they are inserted into computers.
- If you must use USB drives store them in a safe place where they will not be lost or stolen.
- Do not allow personal USB drives, or company data to be stored or accessed on personal use machines. If your employees work from home provide a business computer that is secured and maintained by the business.
Network Management Solutions has been providing pragmatic solutions for business since 1996. For more information please contact us.