The clock is ticking: by 25th May 2018 at the latest, the new EU General Data Protection Regulation (GDPR) will apply and any non-compliant organisations will be subject to severe penalties. Companies of all sizes must adapt their security measures accordingly and install any missing protection mechanisms. A potential data leak source, which is often forgotten about but carries immense risk, is USB sticks.
USB sticks with sensitive data are a business risk
USBs allow us to access critical information, make copies, or process files anytime, anywhere. This increases efficiency and productivity, but unlimited flexibility and mobility comes at a price.
According to research by Kingston Technology, almost three-quarters of respondents say that USB sticks are lost – with many containing confidential company data. Furthermore, the research found that 80 per cent of the data stores used have no hardware-based encryption. Losing USB sticks can therefore have major consequences. For example, the loss of personal data jeopardises customer relationships and can damage the reputation of the company. Depending on whose hands this information falls into, the consequences can be even worse.
In order to prevent such scenarios, the EU Data Protection Regulation forces companies to take steps to safeguard and protect sensitive information. It’s important to note that the rules don’t only apply to EU-based companies, but also to those who have business relationships with EU companies that process data.
Why are USB sticks vulnerable?
To avoid data loss, it’s important to analyse and identify which files contain sensitive information. USB sticks that are used throughout a company and at home by employees are often an underestimated risk. Once the new legislation comes into force in May, companies must be able to prove on demand at any time what data was stored on the individual sticks and whether they were encrypted or unencrypted.
The GDPR also stipulates that the required risk analysis also includes potential costs calculated in proportion to the risk. This assessment includes the likelihood of data loss and the consequences of possible damage caused as a result. Protective mechanisms that are put in place should also conform to the latest state of the art systems available.
Recommendations from authorities such as the Federal Office for Information Security (BSI) or the European Union Agency for Network and Information Security (ENISA) can be used when it comes to questions about the meaning of the term “state of the art”.
The first step should be to have a complete overview of all personal data storage locations so you can stay in control and get a sense of where the most urgent action is needed or where a data leak could lead to the most extreme consequences.
Make sure you are on the safe side
As a concrete indication of how you can protect yourself from looming security risks and act in accordance with the new regulations, the GDPR requires the pseudonymization and encryption of personal data. In the course of pseudonymization, names are replaced by random number codes and the key is stored in a master table.
However, this measure alone does not provide reliable protection. For example, the table must be available at all times and must not be overwritten; in addition, information may indicate the identity of the people affected. Therefore additional encryption of the data is needed.
A good quality feature for encryption, according to memory products specialist Kingston Technology, is voluntary manufacturer certifications such as FIPS 197 or 140-Level3. So, if personal data is securely encrypted (the state-of-the-art 256-bit AES encryption complies with this) the information cannot be used even in the event of a data theft or a data breach. In this case, the obligation to inform those affected no longer applies, since there is no danger.
Encrypted USB flash drives from Kingston minimise the risk
Kingston Techology’s DataTraveler DTVP3.0, DT4000G2, IronKey D300 and S1000 product lines offer a full line of USB flash drives that meet the highest security standards and allow you to secure your data in compliance with GDPR. The stored information is 100 per cent encrypted. In addition, it uses a complex password protection system to safeguard against unauthorised access. After ten invalid login attempts, access to the data is no longer possible.
Kingston’s USB sticks are encrypted in XTS mode according to the current AES-256 security standard. Certifications according to FIPS 197 and FIPS 140-2 ensure that your data is completely safe even in the case of theft or loss. The DataTraveler 4000G2, IronKey D300, and IronKey S1000 models also provide physical protection against tampering.
For some of the USB sticks in the Kingston portfolio, such as DTVP3.0, DTVP3.0AV, DT4000G2 with management and D300, you can also use a personalisation programme, for example, through the use of serial numbers and product IDs integrated into an endpoint management solution. Alternatively, the number of access attempts can be set.
To provide adequate management solutions and easily meet compliance requirements, Kingston Technology is partnering with DataLocker, a provider of centralised management solutions. DataLocker provides SafeConsole and Enterprise Management System (EMS) software for Kingston’s encrypted DataTraveler and IronKey USB drives, making it easy to centrally manage the USB flash drives in the enterprise. Among other things, employees have features such as remote password reset or the automatic anti-malware scanner available, and system administrators retain control of all the company’s USB sticks.
Image: Fotolia/bluebeat76 https://de.fotolia.com/id/101828268
