So it’s Monday morning and you need to get to the office, but you only have odd socks in your draws. Where have the matching socks gone?
I have a theory that there are little people living under our houses that run around collecting ‘odd-socks’, to save us from the err of becoming too predictable and symmetric. I call them “the Collectors”. They don’t only collect odd-socks, they collect hair clips, pens, and here is where the information security bit comes in… USB memory sticks, commonly referred to as ‘thumb-drives’.
How else can we explain where our USB sticks disappear to? How many have you purchased or acquired in the last 10 years? Where are they now? Fortunately for us “the Collectors” are not interested in what is contained within this little plastic sticks, so it really is not a concern to us security conscious individuals. Or is it? Because although it really is no big deal if you turn up at the office with odd socks, it has become pretty cool nowadays. The memory sticks are a bit tricky. How much data is stored on them and is some of this personal data?
But what is personal data? This is difficult. Nowhere has a clear definition of personal data been stated, although Personal Identifying Information (PII) and sensitive data has been defined. In the EU even the IP address is classed as PII. The problem is that data can be combined from different data sources to become identifying data, that could be on one or more of yours, or your employees’ memory sticks.
The new EU Data Protection Regulation due out December this year, potentially January 2016, will have the power to impose fines on those companies that lose personal data. Numbers we have at the moment is between 2% and 5% of revenue for each data loss. In public sector the fines will be fixed. What this means is that when one of your employees loses one of their memory sticks your company is liable to the consequences.
So what’s the solution? Well this is what is rather nice, it is simple when it pertains to data that is stored on movable persistent storage, e.g. memory stick.
- Request all your employees to turn in their memory sticks;
- Destroy them, securely;
- Replace with an encrypted stick, that has a simple PIN code build in;
- Enforce the use of encrypted sticks using a Port-LOCK functionality found in most virus scanning packages today that is often not implemented;
- Log all data that is copied to and from USB devices.
This is not difficult to implement, and pretty inexpensive. This mitigation will block one of the main channels/threat vectors for data loss in your organization.
You could of course just keep hoping that it is ‘the Collectors’ who have all of your mislaid memory sticks in your organization? If I am right about that too…. but I wouldn’t believe me, if I were you 😉
Reblogged this on Virtual Shadows and commented:
I thought this was rather funny. A Post from over 2 years ago, and rather cute at that 🙂
Using encrypted USB memory sticks is a preventative measure, is it not Inge?
Yeah, the “little people” have a long tradition of mythical presence in pre-modern times, getting the blame for most inexplicable events close to the house! You also have to be nice to them, serving a plate of porridge for them once in a while!
Logging of file names and hash sums of information going out (and in) from USB sticks is of course a tempting solution. There is a lot of considerations to be made before implementing schemes like logging.
Personally I favor preventative solutions, but here there is no binary decision criteria that can be implemented. An automatic solution cannot decide on the legitimacy and intentions of the extraction. I would like to see solutions that asses and identify potential privacy issues of in- and outgoing documents. E g an alert to user informing him/her to contact the Privacy Officer for a risk assessment on the intended document sharing.
Accepting incoming documents with issues can be as bad. The organisation may unknowingly commit offences to other organisations and law due to employee actions. It’s the organisation that is finally responsible for the non economic consequences of an employee’s actions, regardless of litigation processes’ outcomes in form of damage claims or insurance pay outs.
Logging can always be implemented by an employer if properly negotiated with unions and explained in policy communications. E g in which circumstances the log data is to be used, for what purposes and by whom.
A long retention period increases the chances to get a full impact analysis. The time period between incident occurrence and discovery is reported to average more than a year. The draw back of a long retention period to consider is that the organisation may become involved in enduring and costly litigation investigation requests with hostile intentions claiming that the organisations is in possession of documents it should not have access to. Then you need a logging system you can trust. Informing litigators that data has been lost due technical problems will not build your reputation of compliancy.