It’s not new news, but it definitely bears repeating—USB storage devices are among the biggest risks in the workplace. In 2013, the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) conducted a study on the prevalence, cause and effect of data breaches. They polled 450 compliance and ethics professionals on the subject of USB devices and came up with some interesting findings:
- USB devices are a great productivity tool for bringing work home or grabbing files on the go;
- They are the tool of choice for taking large amounts of information from employers; and
- One in four people in management positions believe it is okay to take information when leaving employment.
Last summer, Butler University in Indianapolis sent out a letter to alert employees and students that their personal information was exposed in a data breach. The university was made aware of the breach when contacted by California law enforcement. During an identity theft investigation, California authorities discovered a thumb drive on a suspect that contained the personal information of Butler University employees and students.
We are spending a lot of time trying to prevent hackers from breaking in the back door, when we should watch for it going out the front door. Poor employee handling is overwhelmingly the cause of the majority of breaches today. “If we put as much effort into our internal compliance program as we do in technical security, we would be more effective at preventing data breaches,” explains SCCE/HCCA CEO Roy Snell.
By the admission of business owners, 70 percent of the information lost over a two-year period (2009-2011) was stored on USB memory devices. These losses came as a result of malware introduced to the system, lost or stolen devices, or unauthorized downloads.
The following considerations can be your strongest defense—or your weakest link:
- Device inventory and tracking. It’s important with any records management program to identify where information is being used and stored. Determine what devices are being used to store information: paper, magnetic media, compact discs, computers or thumb drives. If thumb drives are already in use, it would be difficult to ban them all together; instead, issue a corporate authorized storage device with security software installed. The device can also be tracked and checked periodically for security updates.
- Internal compliance and training program. Create guidelines for compliance that incorporate current industry regulations as well as company needs. Consider functional necessity when authorizing access to information. Confidentiality and non-compete agreements should be included in any information protection policy. Success in a new compliance program will require buy-in from the top down, followed by company-wide training.
- Disposal policy. Make sure your information protection policy includes specific guidelines for secure disposal, as well as retention guidelines.
- Auditing. Regular auditing and refresher training on procedures and policies are necessary for the success of any information security program. In the effort to control data within your organization and mitigate loss, reinforce security from inside with new policy requirements and inventory tracking. iBi
AAA Certified Confidential Security Corp specializes in the protection and secure destruction of information-bearing media. CSC can help organizations write an information protection and destruction policy and educate employees on compliance laws, procedures and best practices.