USB devices provide a convenient way to transfer data between two computers.
We have been using them for years and just about everyone owns one. However, we must ask whether they provide sufficient security when personal data is transferred.
We will describe the potential risks of USB flash drives in this blog.
1. Transfer of personal data via a USB flash drive
Data can be easily and efficiently put on a USB flash drive and therefore has been used by just about everyone for many years, however, in the context of GDP we have to ask ourselves whether we can continue to use it.
However, the small physical size and large data capacity means that large amounts of personal data can be lost or stolen relatively easily.
USB security: Risks of loss and impact on sensitive corporate data
USBs allow us to access critical information, make copies or process files anytime, anywhere. This increases efficiency and productivity, but unlimited flexibility and mobility comes at a price.
What does that mean?
That means it is important to ensure that only YOU and possibly your customers have access to personal data.
However, this sounds easier than it really is.
According to research by
Kingston Technology
75% of respondents would lose USB sticks, many of which contain confidential business data.
In addition, the study also found that 80% of the datastores used do not have hardware-based encryption. So losing USB flash drives can have immense consequences. For example, the loss of personal data jeopardizes customer relationships and can damage the company’s reputation. Depending on whose hands this information falls into, the consequences could be worse.
Impact on businesses worldwide
To avoid such scenarios, the GDPR forces companies to take steps to protect sensitive information. It is important to note that the rules apply not only to EU-based companies, but also to companies that have business relationships with EU companies that process data.
2. Why are USB flash drives vulnerable?
To prevent data loss, it is important to analyze and identify which files contain sensitive information. USB sticks used by employees throughout the company and at home are often an underestimated risk.
Companies should be able to show at any time what data is stored on the individual sticks and whether it is encrypted or unencrypted.
Costs, Consequences and Advanced Protection Mechanisms.
The GDPR also states that the required risk analysis includes potential costs calculated in proportion to the risk. This assessment includes the likelihood of data loss and the consequences of potential damage resulting from it. Protection mechanisms introduced must also comply with the latest available advanced systems.
Recommendations and Control over Storage Locations
Recommendations from authorities such as the Federal Office for Information Security (BSI) or the European Union Agency for Network and Information Security (ENISA) can be used when it comes to questions about the meaning of the term “state of the art.”
The first step should be to have a complete overview of all personal data storage locations so that you can stay in control and get an idea of where the most urgent action is needed or where a data breach could lead to the most extreme consequences.
3. Consequences of losing a USB flash drive
Losing a USB flash drive containing personal data is a data breach under the GDPR.
Since Jan. 1, 2016, the Data Breach Notification Duty has been in effect, which means that companies must immediately notify the appropriate data protection authority as soon as there is a risk of a data breach.
If they fail to do so, they are violating the GDPR and the data protection authority can impose fines that could run into the millions.
Porsche Data breach: Loss of USB stick containing customer billing data
Losing a USB flash drive is quick and the consequences are often irreversible. For example, in 2020 a USB flash drive gestoland at ONEone of the company’s Porsche branches.
This involved billing data from customers who purchased a car had purchased. On the usb stick were the following personal data: names, addresses, e-mail addresses, and “billing information.
4. How to safely use a USB flash drive.
There is the option of encrypting personal data by placing the files in an encrypted container on a USB device, but the recipient must have access to the same encryption algorithm or software.
Hardware-encrypted USB devices are also available that have the necessary encryption capabilities built into the device, meaning the data can be decrypted without the user having to install additional software.
Because of a number of security risks in allowing the use of USB devices, a number of organizations have implemented policies that prohibit or technically restrict the functionality of USB devices.
USB drives: legitimate applications and security measures for businesses
There are many legitimate uses for USB drives, so many businesses continue to prefer them for moving large files, maintaining backups, protecting against ransomware attacks and helping recover from outages, along with a mobile way to access data.
There is also the possibility of considering a method of transmitting the key or password to the recipient via a separate communication channel.
Some companies are also implementing visibility tools that allow them to manage the use of USB drives, with the ability to block the movement of data to drives.
Managing access and blocking as needed
By adding the ability to track the usage of these devices, you can control who can or cannot access them. More importantly, it allows you to block access where necessary. This method can zee useful for larger companies with multiple users.
There are several tools that offer tracking, such as My USB Tracker and IHound. If this is a path you want to take for your client, these are worth checking out.
Conclusion
From all of the above, we can conclude that a company will not be GDPR-compliant without dealing with USB data loss. Alternative or better security for USB devices should be considered.
If you have further questions around your data management and security processes and your GDPR compliance, contact an accredited DPO.