Will they ever learn on USB flash drives?

By Graeme Batsman, director of Data Defender Ltd.  

Recently various news stories came out relating to the loss of an un-encrypted USB flash drive. The USB flash drive was owned by an employee of the nuclear safety watchdog, the Office for Nuclear Regulation (ONR). ONR is a subdivision of the Health and Safety Executive (HSE) a national independent watchdog for work-related health, safety and illness.

Within the USB flash drive was a document relating to a recent 'stress test' of a nuclear power station based Hartlepool, England. A stress test is a test on safety and possible security of a nuclear power plant.

Any report containing information in relation to safety and security relating to a British nuclear power station would be highly prized to terrorists. Terrorist attacks require months of planning whilst scouts (information collectors) will try to gather information. Details relating to equipment, staff, timings, security and layout would be very useful.

Ironically the document lost was in relation to the weaknesses in a nuclear power plant. One assumes the security surrounding nuclear power plants is strong and fool proof, although this is often not the case. The private sector and in most cases the public sector are infamous for losing unencrypted computer media. Mainly laptops, USB devices, CDS and tapes.

Over the past three years tens of cases have been reported and they do not seem to be declining. The interest in the private sector, mainly medium and small companies is shocking. An ONR spokesman said: "The use of unencrypted USB pen drives is not permitted by ONR for transporting documents with a security classification".

One has to ask when we will ever learn. However, if we examine more closely we often see policy, laws and rules will fail in all cases. For example, 70 miles per hour is the maximum speed of most motorways but how many people obey this? Very few. It's similar to IT systems. Do many people follow the rules around email, web browsing and USB? The quote by ONR is not worth the email or paper it is printed on unless it is enforced.

Creating an IT policy which says USB flash drives need to be encrypted or to only use hardware encrypted USB flash drives will fail. People may follow the guidelines for a while and one day will choose not to which leads to a data breach. An automated and proactive approach is best. Private or public sector computers are not there for the entertainment of staff. Either block all USB ports and optical drives or use an automated system. This will permit some devices but encrypt data on fly and thus taking away the users choice.