We're constantly (too often!) inundated with news about the next high-impact, corporate-level data breach. Suddenly, thousands of peoples’ lives are disrupted as companies scramble to notify patients or customers about the potential loss of their data. Financial institutions get bombarded with calls from customers seeking answers, credit monitoring, and instructions for protecting their data and assets. Meanwhile, the targeted company strives to conduct business while working to assess the damage and focus on recovery. All-in-all, it can be extremely costly for everyone involved.
If your company experiences a data breach, your recovery process includes strengthening your front-line defenses to ensure that this type of external breach doesn't happen again. However, an often overlooked fact is that an alarming number of breaches happen from inside the network. The usual culprit? USB thumb drives. When employees use these devices, your sensitive data is at the mercy of how well they keep track of them. Check out these statistics:
- 800,000 data-sensitive devices are lost or stolen each year
- 74% of missing USB drives result from employee negligence
- 65% of missing USB drives are not reported by the employee
The increased usage of these small storage devices greatly increases your risk of a security breach - whether through malice or simple ignorance (or abuse of policy - "it's easier to get my job done if I bend the rules just a little and take this device with me..."). When a USB thumb drive is lost or stolen, your sensitive data can end up in the wrong hands and a data breach is almost inevitable. Losing sensitive data commonly results in:
- Loss of Intellectual property
- Loss of private customer data
- Compliance violations and fines
- Damage to company reputation/brand
- Loss of customer loyalty
- Loss of future business opportunities
- Financial and criminal penalties
Most internal data breaches are unintentional, resulting from the devices getting lost or stolen as revealed in these news stories:
- Student data from Denver elementary schools at risk after thumb drive was stolen from a school nurse’s car. Story
- Thousands of patient records compromised when Nebraska doctor lost thumb drive he’d been wearing on a lanyard around his neck. Story
- Investment regulator loses portable device containing personal information belonging to clients of multiple investment firms. Story
The upside is that according to the Verizon Data Breach Investigation Report, 97% of breaches are avoidable. Instead of suffering a data breach and dealing with the daunting task of recovery, you can take steps to prevent such an incident altogether:
- Establish a clearly-defined, company-wide portable device policy.
- Educate end-users about portable device usage, policies, and security practices.
- Invest in technology like USB-Defender to monitor and prevent or respond to inappropriate usage
Prevention is always the best approach to preserving the integrity of confidential information. The costs of recovering from a breach greatly exceed the costs of proactively protecting your data. Portable device policies and employee education help reduce security risks, but you can amp up your data security even more using technology designed specifically for monitoring and regulating USB devices. A lot of people feel stuck in an "all or nothing" approach, but the cost of monitoring and prevention via technology doesn't have to be high.
What methods do you use to control the use of portable devices and curb potential internal data breaches? Do you allow USB device usage at all, use some technology to assist in controlling usage, or prefer to limit data access? What keeps you up at night with these kinds of devices?