John Michael, CEO of iStorage discusses the importance of controlling removable media
The use of removable media such as unencrypted USB flash and hard drives has grown at an exponential rate in recent years and with data storage capacities measured in thousands of gigabytes, the capacity for sensitive corporate information to be copied onto a USB drive and then lost or stolen has become a source of major concern for organisations, especially with the General Data Protection Regulation (GDPR) fast approaching!
With removable media being widely used within companies, how can we control the use?
Loss of removable media
A single flash drive could contain data worth millions, even billions of pounds’ worth of intellectual property, and yet controls to monitor and securely manage the use of portable removable media is often neglected or poorly enforced. News of data breaches continue to make headlines on a regular basis, especially involving unencrypted data stored on flash drives and hard drives that are accidentally lost or stolen. For instance, a study from internet security firm ESET has revealed that 22,266 USB flash drives were found by dry cleaners over a 12-month period that were left in clothing and a staggering 45% of the devices were never returned to their owners!
As a result, companies need to start developing and implementing policies on how removable media should be used within their organisation. For example, all USB drives should be encrypted so there are no potential risks of anyone accessing the data stored on the drive should it be lost or stolen.
Additional measures would be to ensure the IT department implements a policy to protect devices with anti-virus software, so that any removable media being used is secure at all times to prevent malicious malware infecting the corporate environment. Further precautions would be to educate users and make them aware of the potential damage that could be caused to the company such as, devastating effect on reputation, potential downfall of a business, embarrassment, job losses and adverse media attention.
In the PwC’s recent 25th annual Law Firms Survey, statistics state that ‘cyber-attacks on law firms in the UK have increased by nearly 20% between 2014-15 and 2015-16. With 73% of the top 100 law firms being targeted by cyber-attacks’, the sure way to circumvent such attacks is to back up data on an encrypted external hard drive that’s not connected to a network.
With enforcement of the General Data Protection Regulation (GDPR) coming into effect from 25th May 2018, all organisations will have to comply with the new regulation and regardless of Brexit, all UK firms must adopt and comply with GDPR. Failure to do so, may result with fines of up to €20m or 4% of their annual global turnover.
GDPR and Encryption
Jon Bartley, Commercial and Technology partner at RPC states: ‘Taking basic steps, such as using encrypted USB flash drives for your data or secure files sharing software to transfer client data will not only reduce the risk of data loss but also materially reduce the risk of having to notify the Information Commissioner’s Office (ICO) if a breach occurs.’
Article 34 of GDPR states that ‘the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any personal who is not authorised to access it, such as encryption’ [see https://www.privacy-regulation.eu/en/34.htm].
With current data protection laws, the ICO has the power to fine an organisation up to £500,000 if found in breach of the Data Protection Act, one such high profile case occurred in August 2014 where the Ministry of Justice was fined £180,000 for losing sensitive data on prisoners. A source reported that ‘A backup hard drive containing data on 2,935 prisoners went missing.’ [see https://www.theguardian.com/society/2014/aug/26/ministry-justice-fined-180000-losing-hard-drive-sensitive-data-prisoners]. ‘The information included details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The drive was not encrypted’
Surely such sensitive data should always be encrypted.
The Legal sector holds highly sensitive data, so firms need to act now and implement data security policies to reduce risks of a data breach.
Companies have to realise the importance of being vigilant and keeping their business secure. We all need to start getting into the habit of protecting data and placing more importance on the value of our data – people put money in a bank to be kept secure so why not protect data in the same vein and store it somewhere safe?