The BBC and other news outlets are carrying a small blurb on the recovery of a USB flash drive that contained the information of one person, an “offender” that was working with the Probation Board of Northern Ireland (PBNI).  Due to the circumstances surrounding its recovery, I can tell that disk encryption was not used.

The PBNI is looking into issue, and a spokesman for the board has made it known that saving the information to a USB memory stick is against the board’s policies.  It was also pointed out that the memory stick belonged to the employee, and was not property of the state.

Of course, with only one person affected, it might make people wonder whether this is a significant incident.  I would argue that it is, since it further confirms what people have known since time immemorial: policies—written or oral—while designed to be preventative in nature, are anything but.  For example, of the following two, what is preventative when it comes to ensuring that a person doesn’t crash through a car’s windshield: driving safely or wearing a seatbelt?

Hah!  Trick question.  The right answer, naturally, is both.  But, driving safely doesn’t prevent some idiot from crashing into you, which could send you flying off into the horizon.  And in such instances, you’re hoping that you’re wearing a seatbelt.

There is one problem though: the employee who broke the rules used his own USB device to store information that should have been kept in the office.  This is, using the above example, like someone coming along and stealing your seatbelt—meaning you’re back to driving safely as the main method of ensuring safety.

The answer to such behavior is quite simple: disable the USB ports.  Or, better yet, set up a computer policy so that only certain devices can be activated when connected to a computer’s USB port.  Yep, I’m aware it’s ironic that I have to use “policy” to refer to something that is not secure, like oral and written policies, and secure, like a computer security policy.

Because computer security policies are part of the overall data protection schema, data encryption solution providers like AlertBoot offer these capabilities along with file encryption, disk encryption, and application control.

Related Articles:

http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/foyle_and_west/7558166.stm

http://www.newsletter.co.uk/news/Probation-Board-file-found-in.4386008.jp