This week it was announced that a USB drive belonging to a member of the Greater Manchester Drug Squad was stolen. The USB stick contained personal details of witnesses who had given evidence in drug investigations. The police force was subsequently fined £120,000 for this serious security breach.
First of all, let’s address the obvious. It was an unforgivable oversight that details of over 1,000 persons with links to serious drug investigations were stored on an unencrypted drive. This incident shows how basic lessons surrounding data security are not being learned. The same Manchester police force suffered a similar security breach in September 2010 but failed to take heed of an order to force all employees to keep sensitive data on encrypted storage devices.
It is a necessity for the IT department in any organisation to implement a data security policy that applies to all staff based around strong encryption. There is also a need for better training of employees to ensure that sensitive data is not kept on unencrypted devices. These adages should apply to any organisation where theft of data would be harmful. This refers not only to cases where loss of data can result in fines, but in loss of intellectual property or information that gives that organisation a competitive edge. One solution to such cases would be to disable removable USB storage devices completely, alternatively training can be provided on the use of basic encryption technology that is widely and often freely available.
However, while removable media and mobile devices should always be encrypted, it may be the case that sales of removable media have peaked. Instead, more and more businesses and consumers are storing data in the cloud, not least because post-PC devices do not always support removable media.
With a USB stick, the threat of data loss arises from casual loss, theft or from malware on a PC that steals data when the USB stick is being used. Data protection in the cloud brings new challenges since that data is potentially exposed 24/7 to increasingly well-resourced cyber attacks. Strong encryption with strong authentication will be essential. You can find out more about encryption in the cloud by looking at this report. By implementing standards of due care, your business can make sure that its data is protected whether it resides in the cloud or on a physical device.