USB careful – how to protect personal data on memory sticks
What’s small, can hold all your organisation’s personal data and commercial secrets, and is easy to lose? It’s no joke. We look at the risks of using USB memory sticks in the workplace and how to protect your organisation from such a data breach.
The risk of a data breach from a USB memory stick
Last month, news emerged of a data breach suffered by Heathrow Airport. A member of the public had found a USB memory stick that an employee had lost. The USB stick held personal data for a number of personnel including names, dates of birth and passport numbers. According to some reports, it also included details of the security arrangements for the Queen when she travels through the airport.
This personal information wasn’t encrypted, meaning that the individual who found the stick was able to look at all the information straight away, without any passwords or barriers. It was then passed to a national newspaper who seemingly took a copy before returning it to Heathrow Airport.
It couldn’t happen to my business
It’s easy to think that this ‘couldn’t happen in my business’ but USB memory sticks are very easy to use and many people find them more convenient for transporting files. You might not even be aware that they are being used in your organisation.
As Heathrow Airport’s experience shows, USB memory sticks are very easy to lose and can often be used for casually storing vital and sensitive information. There are a number of steps you can take to prevent this happening in your business:
Know what your staff use USB sticks for and why
Transparency is vital so work out what your team is using the memory sticks for and whether that involves personal or confidential information. Be clear about what files it’s ok to transport (perhaps non-sensitive presentations and documents) and what’s not safe (personal data and confidential information).
Provide staff with encrypted USB sticks
If it is genuinely useful for staff to have access to USB sticks for transferring sensitive information then help them keep it secure. Don’t expect them to source USB sticks or use ones they’ve been given by others: provide them with work USB sticks with automatic encryption protection. Using encrypted devices is one way to make sure that if a USB stick is lost, it won’t be a data breach.
Set up IT policies that prevent people using unauthorised USB sticks
Define your approach to USB memory stick usage and data storage in your IT policy. To help ensure adherence to the policy, you could ask your IT service provider to set up your system to permit certain USB sticks and stop others from being used.
Train your staff on data protection
When investigated by the ICO, one of the major failings at Heathrow Airport was that very few staff received training on data protection. If they don’t understand why data protection is important, how can your staff properly protect personal data?
Ban USB sticks in your workplace
It’s extreme but if the risk of a data breach from a USB stick are high in your organisation, then maybe it’s something to consider - but be careful that this doesn’t drive USB stick use ‘underground’. If employees need to transport or transfer data then you need to provide them with an alternative way to do so.
At Astrid, we understand that small businesses don’t have huge training budgets, nor can they spend days of staff time to get training completed. That’s why we provide bite-sized training videos that cover the areas your staff need to know. Subscribe today and ensure that your staff are your first line of defence against a data breach.
Protect your business - become and remain GDPR compliant with Astrid
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.