Portable USB storage devices have been popular for many year. It's small form factor, large capacity, cross-platform compatibility, and fast performance make it a valuable tool for busy employees on-the-go. USB thumbdrives are small enough to easily fit in your pocket. While convenient, they do pose a significant security risk. Their small form factor and mobility make it more prone to be lost or stolen. If your employees are carrying sensitive data on these USB storage devices, it can expose your organization to significant penalties if lost are stolen.
In an article by DataBreachToday.com, it reported that in July 13, 2012, The University of Texas MD Anderson Cancer Center lost a USB thumb drive containing approximately 2,220 patient records. As some of you may know, organizations that handle health information are required by HIPAA to safeguard patient data. Failure to do so can result in significant penalties. In the case of MD Anderson cancer center, the Office of Civil Rights, the agency that enforces HIPAA Privacy and Security rules, fined them $4.3 million (USD) for the violation.
MD Anderson Cancer Center slapped with $4.3M penalty for lost USB drive
Read the DataBreachToday.com article
In the latest breach, the Houston-based cancer center says a thumb drive containing patient data and research information was lost on one of its shuttle buses on July 13.
Regardless whether it is health data, customer data, financial data, intellectual property, research data, or similar, the lost of the data can lead to sanction. Most organizations have some level of data they need to safeguard. Typically, an internal policy, government regulation or an accrediting body will dictate how that is done. The severity of the penalty varies. It can be a demotion for an employee or criminal and/or financial penalties against an organization.
Fortunately, this risk is easily addressable with the use of self-encrypting USB drives. For clients we work with, we set them up to use the Aegis Padlock USB with military-grade encryption. Manufactured by Apricorn, Inc., the portable Aegis Padlock encrypted hard drive uses AES 256-bit hardware encryption to protect the data contained within it. These USB hard drives have a physical keypad on its face to allow a user to enter a PIN to unlock the drive. Once unlocked, the content will then be made access on a computer (via a drive letter) and the files it contain can be treated normally as with any other computer files. With a physical keypad, this unit is not vulnerable to software or hardware-based key-loggers or software-based brute force attacks.
The Aegis Padlock comes is a variety of capacities ranging from 500GB to 16TB with a USB 3.0 interface and requires no external power adapter. To use the Aegis Padlock, you simply plug it into your computer USB port, enter your PIN on the keypad to unlock, then a new drive letter (if using a Windows computer) will appear. The on-the-fly hardware encryption does not affect data transfer performance from our observations.
As a side note, although it sounds impressive that a portable self-encrypting USB 3.0 hard drive is available with 16TB capacity, one should consider the risk and the need to have that much sensitive data on a mobile device. In a 2019, Apricorn conducted a survey, it revealed some alarming statistics regarding employee's use of USB data storage devices:
The State of USB Data Protection 2019: Employee Spotlight
- Most organizations (64%) have a policy outlining acceptable use of USB devices, but 64% of respondents said their employees use USB drives without obtaining advance permission to do so (compared to 57% in 2017)
- In 2018, 58% of employees used non-encrypted USB drives such as those received “free” at conferences – compared to 56% in 2017
- Nearly half (48%) of employees lost USB drives without notifying appropriate authorities about the incident – compared to 39% in 2017
- Lost USB drives were a particular problem in the retail industry – 14% of respondents confirmed that more than 75% of employees had lost a USB drive over the past year
Regardless of your role in your organization, information security is not an I.T. issue, it's a business issue. The I.T. department will typically provide most of the technology and technical controls, but everyone in an organization need to have some level of responsibility to safeguard data. With Apricorn's line of self-encrypting storage devices, you can take comfort to know that it is lost or stolen, any data contained within it will be safe from unauthorized disclosure.
Using the Aegis Padlock hard drive as an example, if it is lost or stolen and brute force attempt is made to gain access to the data, the devices features the ability to automatically perform a “crypto-erase” of all the content contained within it after a pre-defined number of consecutive failed PIN attempts. The Aegis Padlock will destroy its own encryption key which ultimately destroy any ability to decrypt the stored data.
Apricorn Aegis Padlock Self-Encryption USB Hard Drives
For additional information about these portable encrypted hard drives, please visit the following web pages:
See this on Amazon.com
In summary, sensitive data on mobile storage devices poses an inherent security risk. For many organizations, they rely on the employees to exercise due diligence and care when it comes properly safeguarding these devices. Despite being aware of the importance of protecting data, there will be some that will not exercise best practices in protecting them and exposing the organization to unnecessary risk. However, providing your workforce with a self-encrypting portable USB drive, you practically eliminate this risk. Apricorn's line of self-encrypting, affordable, cross-platform compatible USB storage drives is a quick and easy solution to significantly increase your overall security posture with minimal administrative effort.