2 Replies Latest reply on Sep 30, 2014 1:08 PM by bspencer63

    Thoughts on USB Device Risk and Response - How can we Stop Data from Walking out the Door

    nicole pauls

      We're constantly (too often!) inundated with news about the next high-impact, corporate-level data breach. Suddenly, thousands of peoples’ lives are disrupted as companies scramble to notify patients or customers about the potential loss of their data. Financial institutions get bombarded with calls from customers seeking answers, credit monitoring, and instructions for protecting their data and assets. Meanwhile, the targeted company strives to conduct business while working to assess the damage and focus on recovery. All-in-all, it can be extremely costly for everyone involved.

      If your company experiences a data breach, your recovery process includes strengthening your front-line defenses to ensure that this type of external breach doesn't happen again. However, an often overlooked fact is that an alarming number of breaches happen from inside the network. The usual culprit? USB thumb drives. When employees use these devices, your sensitive data is at the mercy of how well they keep track of them. Check out these statistics:

      • 800,000 data-sensitive devices are lost or stolen each year
      • 74% of missing USB drives result from employee negligence
      • 65% of missing USB drives are not reported by the employee

      The increased usage of these small storage devices greatly increases your risk of a security breach - whether through malice or simple ignorance (or abuse of policy - "it's easier to get my job done if I bend the rules just a little and take this device with me..."). When a USB thumb drive is lost or stolen, your sensitive data can end up in the wrong hands and a data breach is almost inevitable. Losing sensitive data commonly results in:

      • Loss of Intellectual property
      • Loss of private customer data
      • Compliance violations and fines
      • Damage to company reputation/brand
      • Loss of customer loyalty
      • Loss of future business opportunities
      • Lawsuits
      • Financial and criminal penalties

      Most internal data breaches are unintentional, resulting from the devices getting lost or stolen as revealed in these news stories:

      • Student data from Denver elementary schools at risk after thumb drive was stolen from a school nurse’s car. Story
      • Thousands of patient records compromised when Nebraska doctor lost thumb drive he’d been wearing on a lanyard around his neck. Story
      • Investment regulator loses portable device containing personal information belonging to clients of multiple investment firms. Story

      The upside is that according to the Verizon Data Breach Investigation Report, 97% of breaches are avoidable. Instead of suffering a data breach and dealing with the daunting task of recovery, you can take steps to prevent such an incident altogether:

      • Establish a clearly-defined, company-wide portable device policy.
      • Educate end-users about portable device usage, policies, and security practices.
      • Invest in technology like USB-Defender to monitor and prevent or respond to inappropriate usage

      Prevention is always the best approach to preserving the integrity of confidential information. The costs of recovering from a breach greatly exceed the costs of proactively protecting your data. Portable device policies and employee education help reduce security risks, but you can amp up your data security even more using technology designed specifically for monitoring and regulating USB devices. A lot of people feel stuck in an "all or nothing" approach, but the cost of monitoring and prevention via technology doesn't have to be high.


      What methods do you use to control the use of portable devices and curb potential internal data breaches? Do you allow USB device usage at all, use some technology to assist in controlling usage, or prefer to limit data access? What keeps you up at night with these kinds of devices?

        • Re: Thoughts on USB Device Risk and Response - How can we Stop Data from Walking out the Door
          nicole pauls

          We're also looking into creating some guidance and best practices around USB device policies, monitoring, and controls - what tips would you pass on to others or areas would you like to see covered? I didn't want to derail the main post with this question, but if you've got battle scars, let us know what we can pass on to prevent others from being eaten by the same grue.

          • Re: Thoughts on USB Device Risk and Response - How can we Stop Data from Walking out the Door

            After a long and exhausting research and Network analysis, it was decided to lock down USB ports on our Network to only approved devices.  We purchased "DeviceLock" which is a very good USB device auditing and control AD integrated application.  This WAS the plan...  That got axed. 

            So, in lieu of locking ports down, monitoring was enabled so that we can know what got taken off the Network.  Nice to know, but it doesn't really help in the long run. 

            After that fiasco, we purchased a bunch of IronKey devices which are great for the "when someone loses a USB thumb drive" scenario as they are encrypted with password protection and have an internal processor that will either "Destroy" the device, making it unusable to the new owner or delete all files, which gives the new owner a clean and wiped device to use.  We destroy the device so that the "new owner" gets no benefit from their new acquisition. 

            With "Portable Apps" running an AV program, it is a very nice standalone implementation.  (Well it would be if it would get used anyway)

            That was all good until they started issuing 8GB, 16GB, 32GB, 64GB and 128GB thumb drives that were not encrypted nor password protected.  All that previous work went down the tubes! 


            A very important fact on our Network....The only breeches and other issues (two zero day Viruses) we have experienced in the past decade were from USB Thumb Drives brought in from home and plugged into our Network!  (Will they ever learn?)


            BTW... I work for a few hundred lawyers.... That makes it even more interesting, huh?  I'm sure that after we get sued for data loss the policy will get re-implemented and adhered to very tightly!


            You can preach and advocate as much as you want, but, until you create and adhere to a company/enterprise wide policy, you are wasting your time and money!


            GOOD LUCK!