In this brief article we will look at the use of Portable media, the benefits, risks and things you should consider to ensure your data is protected.
If you use any type of portable media for storing files, then you should read on. It may be that you have a USB drive, pen drive, flash drive typically something that connects using the USB port and allows you to move your files between your different computers.
We see several technology sets in use for sharing and moving data between devices:
We have seen a decrease in the use of portable media as cloud solutions such as Microsoft Onedrive and Dropbox have increased in popularity, but they are still widely used. Many of these drives have no protection and simply plugging in the drive gives access to the data. It doesn’t matter what the intentions are, we always find that sensitive data will find its way on to these devices. We will look at solutions for securing data in these online platforms in the next article.
Pros – Ease of Use, Low Cost, Portability, High Capacity
USB drives and Pen Drives have the benefit of ease of use, low cost and portability. Literally they are just plug and play and that is why many small companies use them. Whether its transferring files or being used as backup storage they find many uses.
Cons – Ease of Use, Low Cost, Portability, High Capacity -RISKS
The same things that make them very useful also have some serious consequences for your data privacy. What are the negative aspects and how do you overcome them?
Ease of Use - As they are so easy to use the risk if you should lose a device is huge, in many cases the person finding the device just has to plug it in and read the data. It’s a scary thought and unfortunately a reality that many find themselves in.
Low Cost - These devices are so low cost now that they get used for everything, from storing general documents to backups for complete systems. These devices shouldn’t be relied on for long term high usage roles where you need reliability.
Portability - Pen drives which are basically just chips with no moving parts may be quite rugged but the small size makes them easier to lose than the average set of car keys. USB drives are generally bigger and the size of an average laptop disk but often subject to knocks and bangs when being moved and transported, it only one drop and the risk of data loss is going to increase dramatically.
High Capacity – The increasing capacity we see on these drives means they get used for anything and everything including being used for storing important, confidential and sensitive data along with huge volumes of general data. This can have two negative effects. The duplication of data without control becomes a nightmare to manage with large volumes of data being edited on multiple devices. The volume of data that can be lost forever or even worse lost in to someone else hands is huge.
Actions to take away:
1. Review the type of data you are storing and the risks
Consider the type of data you are storing, and the risk should someone else get their hands on it. Would you be happy with your most personal files being available to anyone picking up a lost drive? If you must use portable media, consider the risks and worst-case scenario of a data breach or loss. The level of protection needs to be proportionate to the risks, you wouldn’t expect the Government to store sensitive documents on an unencrypted drive, and if it was encrypted you wouldn’t expect the Government to use something that could easily be cracked.
2. Purchase the correct type of device.
If you use portable media then purchase a device that has built in encryption, and not a device that requires you to run some software first. We always recommend a device with hardware encryption; you can see from the image below the devices have a number pad that you must enter a password on before the drive will allow access. Even if these devices are taken apart the data is not accessible. Devices with tamper protection and tamper identification are great for high security environments. These devices have different levels of encryption so pick one with a recognised standard such as FIPS-140-2 or NCSC-CPA.
3. Don’t use these types of drives for regular backups
Portable media is useful for short term backups where additional backups already exist. It's not my first choice but any backup is better than nothing, but only when its properly secured. If you want a backup then talk to us about a true online backup solution and we will make sure your data is adequately protected. If you need a secure large capacity drive then we can supply an encrypted model, which will meet any certification requirements.
I specifically like the ability to buy these drives in different colours the red really sticks out when left on a desk. Use different colours to classify the data content for your own benefit. Consider these devices when auditing your data for GDPR purposes, make a record of the portable media that you use and have a way of controlling access to them. List them in your information asset register and if they are encrypted like these, state that and the encryption level along with the type and quantity of data.
You may decide to get rid of all your portable media and move to online services but this can have a similar problem, control of data access and the spread and management of data within these platforms is just as difficult. We will show in the next article how to protect this data using the same levels of encryption.
If you have questions then please contact us on 023 92482556 or email on firstname.lastname@example.org