By Ruben Lugo, Strategic Product Marketing Manager at Kingston Technology
With all of the hacking, breaching, stealing, and compromising of personal data going on in the world, there are probably very few people left who don’t appreciate the seriousness of the problem.
Thankfully, this isn’t like a debate on pop tarts or toaster strudels, where there are two highly opinionated sides to the issue. Cybersecurity is a definite problem.
So much so that government entities are busy toughening up existing regulations or issuing new ones, to wit: the European Union’s General Data Protection Regulation (EU-GDPR) and the New York State Department of Financial Services’ 23 NYCRR 500. (See Cyber Defense Magazine article “New Regulations Governing Data Protection – Including the Use of Encryption – Now in Effect in the EU and New York State”, June 12, 2018 edition).
One thing cybersecurity experts agree on is that an organization’s use and promotion of encrypted USB flash drives as an additional security product and solution is crucial in keeping confidential information confidential, and, as a way to comply with new regulations.
The key to doing that is making sure they choose the right USB drive, as they range in quality from a free tchotchke giveaway at a trade show to a $600 high-capacity, state-of-the-art data protection encrypted security drive. Chances are your particular needs will fall somewhere in between.
So, Kingston has put together these eight easy-to-follow (and understand) tips on how to choose the best-encrypted USB flash drive for your organization.
1. Build an encrypted USB plan: protect & comply
Incorporate encrypted USB Flash drives and policies into your organization’s overall security strategy. If your company does not have such a plan and guidelines, your organization is at risk at every level – including failure to comply with any regulations, which usually entails a nice round fine.
The best time to develop such a plan is before you need to prove you have one The best time to begin indoctrinating employees on the need to use only company- approved USB drives are on their first day of work and orientations. In addition to giving new hires a badge, company handbook and company email address, present them with an encrypted USB drive. The plan should also include having a contingency strategy in place for recovering lost drives.
2. Establish and enforce policies
If you don’t have the right policies in place for all to follow, USB drives can potentially be the downfall of your data security strategy. Setting a policy is the first step, and it’s an incredibly important one. Underscoring the need to establish and enforce USB policies, the Ponemon1 study results revealed that nearly 50 percent of organizations confirmed having lost drives containing sensitive or confidential information in the past 24 months.
A good start would be to identify individuals and groups needing access to and/or download sensitive and confidential data on encrypted USB drives, then setting a policy that allows them access. Document policies for the IT team and end users. Mandate that all employees attend training and sign an agreement post-training so they understand the acceptable use policies and the implications of not following guidelines.
3. Train and educate
If you don’t train and educate end users, you do not have a tightly sealed data loss prevention (DLP) strategy and are more prone to be breached. The same Ponemon USB security study found that 72 percent of employees use free drives from conferences and tradeshows, business meetings, etc., even in organizations that offer ‘approved’ USB solutions. Therefore, establish a training program that educates employees on acceptable and unacceptable use of USB flash drives and Brings Your Own Device (BYOD).
Walk users through actual breach incidents and other negative consequences that occur when using non-encrypted usbs. Example: Heathrow’s airport suffered a major un-encrypted USB drive incident.
Get the support of HR and senior management. All employees should be trained as part of the company’s orientation and ongoing training.
4. Provide company-approved hardware-based encrypted USB drives
If you block or ban USB drives or USB ports and implement policies that inhibit employees’ productivity, they will usually find ways – out of necessity – to work around these security systems. Take a proactive approach and provide them with the company- approved hardware-based encrypted USB flash drives for use in the workplace. Remember, these are security products and solutions which manage threats and reduce risks.
Approved flash drives should have the following features:
- Proven hardware-based encryption using Advanced Encryption Standard AES-
256 (hardware-based security provides portability and superior encryption over host-based software encryption) using XTS mode.
- User storage space should be 100-percent encrypted; no non-secured storage space should be
- Hardware-based password authentication that limits the number of consecutive wrong-password attempts by locking or wiping the memory clean from the device when the maximum number of wrong attempts is
- Meet the FIPS standards2 for your industry or company needs: FIPS 197 and or FIPS 140–2 Level 3.
5. Encrypt confidential data
Top-of-the-line drives provide FIPS2 certification for their devices using advanced hardware-based AES 256-bit encryption in XTS mode. A step higher is an “On-Device Cryptochip” for an additional layer of protection. Another protection element, look for a physical layer of tamper-proof security with drives using epoxy-coated boards or epoxy- filled metal cases to protect the physical memory from attack.
Encryption is the most trustworthy means of protection for organizations where confidential or sensitive data is part of their daily lives, e.g., financial, healthcare, government, insurance, etc. To ensure that data is safe, it should be encrypted before being sent out via email or saved on removable storage devices.
6. Certify anti-virus/malware protection is present at every entry point
It is not a stretch to say new threats emerge every hour or less, and can come from anywhere – email, websites, and removable media like USB drives and CDs. Up-to-date anti-virus software is critical for keeping a network safe from known and unknown threats. Ensure endpoint-host computer systems (while having several interpretations, the most common meaning is any device outside the corporate firewall) are equipped with up-to-date anti-virus software. It is also wise to give consideration to software programs that extend protection against malware on USB devices, when used in non- corporate controlled pcs.
7. Identify the best USB flash drives for your organization/needs
If you don’t do your homework, your initiatives may be more challenging to implement and difficult to justify. A simple analysis of what your organization needs and knowing there’s a range of easy-to-use, cost-effective, encrypted USB flash-drive solutions can go a long way toward enabling your organization to get a handle on managing risks and reducing costs.
Recommended actions include:
- Determining the reliability and integrity of usbs by confirming compliance with leading security standards such as, AES-256 Encryption, FIPS 197 or FIPS 140–2 Level 3, and managed solution Some businesses, such as Kingston, provide a customized option for organizations that require more specific needs.
- Understand the many options available that balance corporate needs for
Cost, security, and productivity. Ensure you have the right level of data security for the right price. If you don’t need a military-grade casing, don’t pay for it.
- Work with your purchasing department and get support from executive
8. Manage authorized USB drives and blocking unapproved devices
Managing authorized drives is critical. Sensitive data can be copied onto these devices and shared with outsiders. Your organization then becomes the next statistic for data loss or theft.
There are two (2) great software management tools IT administrators can take advantage of:
- Data Loss Prevention (DLP) Endpoint management software allows device-level management tools to manage USB ports, data, and authorize specific encrypted USB Flash drives. DLP Endpoint solutions are a part of cybersecurity software solutions.
- Centralized device-level management software allows for drive control over LAN and Internet connections; such as Kingston’s safe console and IronKey
- Establishing and enforcing encrypted USB usage policies on an individual and/or group basis
- Locking in a specific model or PID of an issued encrypted USB drive
- Lockout any other device that is plugged in – only the company issued encrypted USB drive
- Allow or restrict files that can be transferred to the encrypted USB drive
- Auditing file activity to better track data moving in and out of your organization
- Remotely disabling devices when lost or compromised
- Allowing remote resetting of passwords when forgotten
2 (Federal Information Processing Standards – U.S. government developed standards that describe document processing, encryption algorithms, and other information technology for use in computer systems by non-military government agencies and government contractors)
About the Author
Ruben Lugo is the Strategic Product Marketing Manager for Kingston’s encrypted USB line, including the globally respected ironkey line of ultimate security encrypted USB drives as well as Kingston’s Server Premier DRAM and Enterprise SSD / name solutions for today’s high-performance servers. As a solution, technology and security enthusiast with over 18 years’ experience he leverages his unique expertise in the development, delivery and sales/marketing management from the CE, AV, and IT Networking industries. He’s contributed to the initiation of new trends in technology from launching the first reliable wireless high definition audio video distribution system to high-bandwidth fiber optic networking solutions.