Encrypted USB-drives - An important piece of the EU-GDPR puzzle

Editorial Type: Research Date: 07-2017 Views: 1,294 Tags: Security, Compliance, Flash, Encryption, Kingston Technology PDF Version:
USB drives are a 'faithful companion' in our professional lives, suggests new research - but their security is an increasingly important consideration, especially in the run-up to the new EU GDPR, argues Christoph Bader, Strategic Marketing Manager B2B EMEA for Kingston Technology

It is an everyday scenario: an employee downloads data from a work PC onto a USB-drive, perhaps for a back-up, to work from home, or to give a presentation. The employee leaves the office and on the way home the USB slips out of their pocket. The data on the drive is not encrypted and is accessible to anyone who plugs the drive into a computer - which a recent survey found that almost half of us do upon stumbling across a USB. In a best-case scenario losing a USB drive is just an annoyance. Lose a USB with confidential or personal data however and it's a different story.

On 24th May 2018, the current data protection legislation from 1995 will be fully replaced by the EU General Data Protection Regulation (EU GDPR). The EU GDPR aims to strengthen the protection of personal data for EU citizen: eg, through the 'right to be forgotten' and future-proofing data protection legislation in the EU. It is also an attempt to unify the different national legislations, which can be confusing in their overlaps and differences. This means that organisations will have to take extra steps to avoid any kind of data leaks, loss and theft. The fines for personal data such as names, date of birth, bank details or medical records being leaked can add up to 4% of the global revenue of an organisation, or 20 million euros (whichever is higher).

Additionally, the individuals concerned as well as a supervisory authority will have to be notified if personal data has been compromised. This means that a data breach - on top of the direct costs like fines, legal fees, etc - will also automatically generate indirect costs such as negative publicity, loss of customer trust and ultimately business. Hence organisations should start reviewing and checking their internal IT processes and policies now and modify them accordingly.

One of the most neglected risks is often simply not encrypting company USB drives. You may think that the use of USB drives is on the decline. However, a recent survey commissioned by Kingston Technology on the use of USB drives has shown that about 66% of participants use more than one USB drive for job purposes. Of these users, alarmingly 38% reported that one or more drives had disappeared while in company use (24% out of these were reported lost, 4% reported stolen and in 72% it was unclear what happened to the drive). Another worrying result is that almost half of the surveyed employees said that they mix personal and job data on their USB drives.

Other questions showed that in about a fifth of the company's surveyed, employees save sensitive data on USB drives. Yet, 86% reported that they do not use hardware-based encrypted USBs for these. The conclusion can be drawn that carelessness of organisations and employees when dealing with USB drives is a substantial risk for companies. Obviously, improving network or cyber security is an ongoing major task for IT departments, as hacking or ransomware attacks are an increasingly prevalent issue. But in a more and more mobile world where employees frequently work from home or in a BYOD environment, companies will need to better address security concerns that come along with 'data on the go'.

In order to become compliant with the EU GDPR in regard to mobile data, we recommend that organisations consider the following five steps:

First and foremost, it is crucial that organisations understand the new regulation and its implications. Secondly, they need to assess which personal and sensitive data the organisation processes, who has access to them and which data leaves the organisation. Once there is an understanding of this, the third step should be to define a strategy for the data, as well as policies on who gets access to which data and on which medium.

The next step refers to the technology being used. And this is where encrypted USB drives come in. EU GDPR does not dictate which technology to use in order to protect personal data, but it does mention encryption as an option to be considered. Encrypted USBs are often the most sensible, cost-effective option for protecting 'data on the go'.

Lastly, organisations need to ensure that users are aware of the new legislation and that best practice data protection policies are followed and the appropriate technology is used. At this stage it is also important to remember that this not only applies to data that you need to protect from a legal point of view, but also to sensitive data that you want to protect from a business point of view.

To help make sure that organisations comply with the EU GDPR, Kingston Technology offers affordable business-grade encrypted (DTVP 3.0), high-security (DT4000 G2) as well as keypad USB-drives (DT2000). Additionally, Kingston uses the recently acquired IronKey product line to deliver FIPS 140-2 Level 3 certification solutions for organisations that need the highest level of encryption and security. Furthermore, Kingston's software partner DataLocker Inc. offers the SafeConsole and Enterprise Management Services (EMS) platforms that both Kingston and IronKey managed encrypted drives utilise. Both enable IT administrators to centrally manage encrypted USB drives to meet compliance requirements and provide a higher level of support. Features include setting passwords remotely, configuring password and device policies, activating audit for compliance, remote killing a drive and more.

As already mentioned, the encryption of personal data is currently one of the state-of-the-art ways to be safe. The encryption of personal data does not have to be complicated, as an encrypted USB drive automatically carries it out in the background. Users are only confronted with the encryption when they insert a drive into a computer and have to enter a password. There's no technical knowledge required which makes such this solution very easy to implement and use. This is crucial, as needlessly complex solutions increase the risk of employees not using them.

Organisations invest heavily in protecting data inside their network, but data beyond a company's firewall is equally important. Due to the new regulation and its impact on organisations' finances, security and data protection are expected to become more of a topic for senior management and boardrooms.

Currently, the encryption of personal and other sensitive data is more a topic for IT departments and IT security managers. The potential fines and impact on the reputation of a company will ensure an increase in the overall awareness for the topic within organisations. By investing in 256-bit AES hardware-based encrypted USB drives, organisations can get a small, but important, item ticked off their GDPR to-do list.

This may be unfamiliar territory for some organisations, but at Kingston Technology, we are confident we can support organisations in meeting their GDPR requirements and ensuring a smooth transition from one data protection legislation to another.

More info: www.kingston.com