Why the humble USB stick could be your organisation’s biggest security flaw

When it comes to data security, simple things can derail the policies organisations put into place. I’m thinking of two recent incidents at well-known organisations both involving the humble USB stick.

The discovery and subsequent return of a memory stick containing 3,000 patient records from the East Sussex NHS Trust highlights how data breaches are often not the result of a sophisticated attack.

In the case of the East Sussex NHS Trust, the data was not even password protected. Similarly, Barclays Bank is now compensating 2,000 customers after their details were found on a USB stick in a London flat. The stick is believed to have been encrypted. It was found as part of an unrelated criminal police investigation.

The Online Trust Alliance showed last year that almost one-third of data breaches were caused either accidentally or maliciously by employees. It’s no surprise really, when you consider that a USB stick is about as easy to lose, or hide, as a pen. Whether by accident or design, these stories highlight just how difficult it can be to keep a handle on data.

> See also: The 5 layers of data protection – what businesses need to know

Moving data securely and reliably to support critical business processes has never been more important — and challenging. Files that contain sensitive data such as credit card details or medical records are protected by government and industry regulations, which are subject to frequent updates to keep pace with the digital economy.  

For instance, the new EU data protection regulation coming into force in 2016 will mean that organisations will not only need to be sure of their file transfer policies, they will also need to demonstrate a clear audit trail.

As the digital economy becomes the norm, more and more sensitive files must be transferred securely with full traceability across a growing array of end-point devices. Managed file transfer can help make the data accessible, while giving back complete control to the IT department.

It’s no longer good enough just to have the right policies in place for secure data transfer, an organisation must ensure it has the right file-transfer technologies, security systems, processes and, most importantly, staff training.

There are some key considerations for any organisation when reviewing how to secure information in transit:

The importance of visibility

When the East Sussex Healthcare NHS Trust chief executive Darren Grayson explained the memory stick belonged to an employee and was not compliant with trust policy that mandates encryption, he was pointing out the bleeding obvious. However he also highlighted a key issue of data security. If you can’t track it, it isn’t secure.

True data security goes hand in hand with data visibility. Managed file transfer provides many security mechanisms and offers the flexibility to ensure compliance with data privacy regulations and policies. It addresses three key areas of concern: compliance, audit and real-time monitoring.

Better performance

Sure, file transfers can be done with email, FTP clients or Dropbox-like services. But have you considered the limitations? Beyond security, the real value of managed file transfer comes from automation. Every repetitive process involving the movement of data can be automated, which ultimately reduces costs and increases productivity.

A few mistakes can kill productivity because of lost business and the large amount of time people spend trying to fix the problem. A fully secure and safe system can lead to any number of innovations and make your company much more responsive and agile.

Enterprise-wide solution

In a connected and competitive business environment, the three elements that deliver most value are cost reduction, risk reduction and IT agility. File transfer mechanisms can address each of these. By automating, managing and controlling all file transfers from a central point of control, managed file transfer employees are able to easily send and share files using IT-approved methods.

Importantly, we are talking about an approach that is easy to use for all employees and is applicable to almost all instances of file transfer. What’s more, in a world where it makes sense to be better connected with partners, contractors or customers, it provides visibility of the transfer and storage of all files between customers, employees, partners, business systems etc.

Scalability

When considering a managed file transfer solution, don’t be put off by the ‘managed’.  Self-administration is an important element in any solution. It needs to integrate with the existing services – the last thing you want is yet another directory or security service provider to add complexity.

As businesses become more responsive or grow, it may be necessary to invoke file transfers or verify operations from many locations and devices. Being able to add new partners yourself or invite users to participate in secure file transfers frees up the IT admin time to perform other tasks.

End-to-end encryption

It’s always a good idea to have end-to-end encryption, meaning the data isn’t merely encrypted on the network, but encrypted while sitting on storage devices or personal devices.  Employees’ laptops and phones are easily lost or stolen, meaning the data on them is at risk unless it is protected.

> See also: Five ways SCADA security should be improved

You could summarise the challenges today’s IT leaders face as security, responsiveness and reliability. Protecting data is a major concern, and more and more business systems must exchange or synchronise data across the open Internet with remote locations, while maintaining archives.

The recent data breaches at the East Sussex NHS trust and Barclays Bank should act as cautionary tales that illustrate the consequences of a disconnect between security policies and actual practices.

They highlight the need for organisations to be able to join the dots between data protection policies, technologies and processes. As enterprises increasingly become borderless and as data volumes grow, fully traceable, secure data transfer has emerged as an indispensable technology.

Sourced fro Alessandro Porro, Senior Vice President International, Ipswitch

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...