Data losses on USB sticks – it’s raining again

The problem of lost USB sticks has been back in the news recently with data losses moving from laptops to the storage devices.

In January, the Information Commissioner’s Office (ICO) and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man jointly criticised Praxis Care after an unencrypted memory stick was lost last year. It contained personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland.

Last week, the details of more than 1,000 school pupils were lost when a USB stick was misplaced by a member of East Lothian Council.

It was at the end of 2009 that I looked back at ‘a tricky 12 months for the USB stick’ when it was blamed for data loss and Conficker. While the problem has not been eradicated completely, it does seem to be slipping back somewhat.

I recently spoke with a new company offering what it calls the ‘Fort Knox’ of USB memory sticks: I know what you are thinking, heard it all before. Well what caught my attention was that this was less a memory stick and more a tracking device, with GPS and GSM modules to track where it is and deliver this information securely to a management console hosted securely on Fujitsu’s Global Cloud Platform.

It also features remote wipe capabilities of any data on the device, whether it’s plugged in to a USB socket or not.

Named Security Guardian, creator ExactTrak said that its inbuilt software is linked to an online monitoring platform that protects against the biggest problem with mobile data security: human error.

Managing director Norman Shaw told SC Magazine that Security Guardian is been adopted by users due to it being encryption technology-agnostic and available with either 16 or 32GB storage.

He said: “We applied intelligent elements to communicate with the device and we can turn the device on or off and delete the memory. We can know where it is geographically.
“We met with the ICO and they said that it is all very well having encryption but 50 per cent of people share passwords. One of the technologies on this is that if you share a password, you can remotely remove or turn data off. A problem is that data losses are often not reported for months; we say this can overcome the stigma of losing data by saying ‘we lost the device but we deleted the contents of it’.”

Shaw said that this is sold not as a product but as a service, and a recent partnership with Fujitsu saw its Global Cloud Platform selected to host the back-end infrastructure.

The heart of the Security Guardian solution is the management console which provides remote access to the devices and maintains a verifiable audit trail detailing when and where data was accessed. ExactTrak said it needed a partner that could host the management console while providing the utmost levels of security, scalability and availability, and it selected Fujitsu’s Global Cloud Platform as a secure portal and because it could offer “global scalability almost instantly”.

Shaw said: “Once data is on the device it is encrypted. We have Trusted Client technology from Becrypt and the cloud capability from Fujitsu and it is all dynamic data on the device, so what is on there is secure.”

In my recent conversation with Thales, it was suggested that technology should make encryption transparent, and “if you know you are using it then it has gone wrong”. I asked Shaw if he felt there was a problem with encrypted data and that people were not using it.

He said: “Some people realise the problem of encryption, so how do you prove that it was turned on? You say that a laptop was encrypted, but then it appears on eBay and it turns out that it wasn’t encrypted at all.

“With our solution you can say that the data was turned on or off on the management console with a verifiable audit trail and the ICO can say the matter is closed.”

There are solutions out there to prevent data loss and most of them offer different levels of security and capability, and what ExactTrak offers is certainly different – the capability to react after the incident.

Original article from SC Magazine  Feb 2012

Could High Profile Data Losses Be A Thing Of The Past?

Over the past year a number of organisations have suffered high profile data losses, leading to hefty fines and considerable damage to their reputation. With the EU data protection law set to change imminently, the importance of effective strategies to prevent data loss and the ability to detect and respond to data breaches quickly has become of paramount importance to businesses.

The European commission has put forward  proposals that greatly strengthen data privacy laws and see a single set of rules on data protection applied across the EU. The new law would mean increased responsibility and accountability for those processing personal data, with organisations required to inform their national supervisory authority of serious data breaches as soon as possible – within 24 hours where feasible.

This, coupled with the high profile media coverage of data loss incidents, is forcing businesses to become more aware of the risk their operations are exposed to without adequate data security policies.

Additionally, each time we hear about data loss cases such as a lost USB memory stick or a stolen laptop containing sensitive information, which accounts for over 65% of recorded data losses, we are quickly reminded that these are often the result of human error.

One recent story condemns East Lothian Council who lost the personal data of over 1,000 pupils because one employee downloaded the information to a memory stick and subsequently lost it. Another example is Irish telecoms firm eircom, who recently confirmed the theft of three laptops containing personal information of over 7,000 customers.

The laptops were not encrypted and as a result the organisation has been heavily criticised by the Data Protection Commissioner for failing to employ standard data security measures and faces a very hefty fine.

In the UK, unlike some European countries, if the data loss has been caused by the actions of an individual employee, the penalty fine will be issued to the data controller within the company and the company itself will be liable to pay.

This, alongside the fact that human error will inevitably continue and the use of USB memory sticks is only set to proliferate, means that businesses need to adopt technology solutions that work within those parameters to protect themselves.

Even if your organisation uses encryption products, you still have significant exposure. Many surveys and reports have found that encryption is often turned off and there is no way to be able to prove the product was encrypted without recovering it. The sharing of passwords is also a very common potential exposure.

Of course, people can and will always make mistakes but businesses can protect themselves through readily available technology solutions. USB keys exist today that can have their memory turned on, off or deleted remotely and can be located through inbuilt GPS technology. Businesses have the power to avoid future data losses but the solution is just as much a people one as it is a technology one.

Norman Shaw. CEO ExactTrak Ltd. manufacturers of Security Guardian

Published in Business Computing World    Feb 2012

Security Guardian USB stick can be tracked and remotely deleted

Using a web-based console, administrators can also apply policies to Security Guardian devices used by their staff, and locate them if required using their built-in GPS capability.

However, the GPS does not simply allow lost devices to be tracked, but also enables organisations to set location-specific policies governing their operation.

The memory can be enabled or disabled for specific geographic areas, so a hospital could configure their memory sticks to only work when they are actually on the premises,” said Shaw.

Administrators can also set a policy so that the device will automatically disable its memory if it has been unable to check in with the ExactTrak cloud service for any length of time.

In this state, the data is preserved, but cannot be accessed until the Security Guardian is able to communicate with the management service again. When the memory is disabled, it is electrically isolated from the USB interface, according to ExactTrak.

Unlike many other secure USB Flash drives, Security Guardian devices are not self-encrypting. This is because customers told ExactTrak that they wanted them to function with encryption services they were already using, such as Becrypt Trusted Client, Shaw said.

Because of the unusual nature of the Security Guardian devices, they will be sold via system integrators such as Fujitsu as part of a service package including GSM provision. Customers can expect to pay £25 to £30 per device per month.

Published in V3.co.uk  Feb 2012