Punching above its weight: why the USB has a key role to play in cyber-defence

By Jon Fielding, Managing Director EMEA, Apricorn

As technology has advanced, many once-ubiquitous pieces of business equipment have been relegated to the back of a cupboard. You might be forgiven for assuming that the advent of cloud and smartphones would send the trusty USB drive the same way as the fax machine and Rolodex – but this isn’t the case.

Removable storage devices have a new, enhanced role to play in business life, as a powerful tool in an organisation’s data protection armoury.

Collaboration platforms, cloud services and mobile apps all enable us share, store and access corporate data easily and instantly, from wherever we are. But these technologies have brought their own risks, as have the evolving working practices they facilitate.

Consumerisation of IT, bring your own device (BYOD) and the increasingly mobile, flexible workplace all present serious data protection challenges.

In a survey carried out by Apricorn this year, almost half of organisations admitted their mobile workers have knowingly put data at risk, while nearly a quarter said they can’t be certain their data is secure when used in a remote working environment.

At the same time, the UK Information Commissioner’s Office (ICO) has begun to flex the new powers it has under GDPR, hitting British Airways and the Marriott hotel chain with massive fines of £183m and £99.2m respectively for breaching the rules. The ICO recently announced that the number of data breach reports it received in the year since GDPR was introduced was four times higher than the year before.

Organisations face a monumental task: to control access to sensitive data when it’s on the move, and embed privacy in all business operations, without impeding employees’ productivity and efficiency. Here’s where secure removable storage devices come into their own – as a key part of cybersecurity plan that has encryption at its heart.

The last line of defence

Most cyber attackers tend to seek the path of least resistance, exploiting simple weaknesses such as a lack of software patching. Phishing is one hugely popular technique which takes advantage of low levels of security awareness among users. Human error is at the root of many data breaches – sending an email to the wrong person or mislaying a mobile device is easily done.

Encrypting all corporate information as standard, when it’s in transit or at rest, will mitigate all these risks and safeguard the data whatever may go amiss. Although specifically recommended in Article 32 of GDPR as a means to protect personal data, encryption isn’t a silver bullet in itself – but when it’s embedded within a holistic information security plan and associated processes, it provides the most effective last line of defence. Businesses are catching on: two thirds of organisations now hardware-encrypt all information as standard, up from just half last year (Apricorn survey 2019). There’s also a high level of awareness of the risk of not doing so, with lack of encryption cited by IT decision makers as the cause of 27 per cent of all data breaches.

Extending the boundary

The availability of USB drives with hardware encryption capabilities built in enables this line of defence to be extended outside of the organisation, when data is at its most vulnerable: on the move.

These automatically encrypt all data written to them, locking it down so that if the device is lost or stolen the information will be unintelligible to any unauthorised actor trying to access it. This provides employees with a practical way to safely and reliably store, transport and share large amounts of sensitive data offline.

Strict policies detailing exactly which removable storage devices are allowed, and how they must be used, should be introduced and enforced through whitelisting on the IT infrastructure. This will block access to USB ports for all non-approved media, preventing data from being downloaded to unencrypted devices. In addition to being trained in how to use the sanctioned USB devices properly, employees need to be educated in the ‘why’; the reasons data protection is important, and the risks and consequences of a data breach.

Ongoing digital transformation, along with the adoption of cloud, AI and IoT as business enablers, is introducing an extra layer of complexity that increases an organisation’s attack surface. Alongside this, the stark reality of the impact of GDPR when it’s applied in anger has become clear – not just the financial penalties and cost, but the effect on reputation and brand loyalty. This is likely to trigger an upturn in spending on cybersecurity.

Money has to be spent in the right areas, but this doesn’t necessarily mean investing in costly, sophisticated solutions. In fact, these can bring new vulnerabilities by adding to the already complex IT environment. Sometimes a simple, straightforward tool can punch well above its weight when it comes to strengthening the security posture – and the USB drive is one such device. Not only can it help an organisation defend its data against risks posed by common failures in process and employee mistakes; it also has the potential to help it avoid a hefty fine from the ICO.