Several media outlets are passing on a report by the Financial Times that stated the Department of Health and the Department of Transport in England are allowing employees to download information to unencrypted USB memory sticks. Both departments are denying those findings and, based on their responses, it looks like at least one of them is using data encryption software that has an option to encrypt any USB devices plugged into a computer, virtually identical to a feature available in AlertBoot endpoint security systems.
A spokesman for the Department of Health said that "data is automatically encrypted before it is transferred to a removable format."
There are lots of data security solutions out there, and some offer features that others have not thought of. A security feature that's pretty useful when it comes to USB devices is the USB port control, where one can specify which devices will work with a computer's USB port. If a device is not on an authorized list, the computer will not recognize the device. End of story.
However, AlertBoot offers an additional solution: you can have it programmed so that any memory devices--be it a USB memory stick or an external hard disk--starts encrypting the moment it's plugged into a computer. This way, the enduser doesn't need to remember to encrypt the USB device if sensitive documents end up on it. Remember, the weakest link in any data security scheme is people: this automatic process helps eliminate part of that weak link.
Of course, there are problems associated with it. For example, if you connect an iPhone to a work computer that has this USB security feature enabled, that phone's gone. Which makes it really important for employees not to stick stuff into those USB port. If people were not following policies before, they certainly will now.
If you read the articles, you'll notice that the issue of security is nebulous: "A spokeswoman from the Department for Transport said only encrypted memory sticks may be used to connect to the department's IT network."
Does this mean that encryption is being used? Or does it mean encryption is supposed to be used? Based on wording, the Financial Times accusations may have some bearing.
The technology to stop employees from transferring sensitive data to unsecured media like USB memory sticks exist, and have existed, for years now. Indeed, many companies that offer centrally managed encryption solutions also offer USB port control as an added service (sometimes, for free). However, management must actively pursue its implementation.
If management has decided that employees must bear the onus of encrypting data, it has abrogated its responsibilities. Written policies have their place, but if workplace practices show that the policies are not followed and cannot be enforced (or will not be enforced), it is up to management to find a way that works.
The Department of Health seems to have chosen this latter option; the other departments cited look as if they have not. What are the chances that the next data security breach will come from this latter group? Very big.
Related Articles:http://www.publicservice.co.uk/news_story.asp?id=8186http://www.telegraph.co.uk/news/newstopics/politics/4220321/Government-failed-to-clamp-down-on-data-loss.htmlhttp://news.zdnet.co.uk/security/0,1000000189,39591098,00.htm