Organisations across the UK are of course aware of the need to secure personal and corporate data within their business.
Reinforced measures to protect such information have been implemented in recent years to prevent access by unauthorised individuals. Despite this, incidents of data breaches surrounding mislaid or stolen unencrypted portable data storage devices continue to occur with alarming regularity, as headlines in the trade and national press show.
The results of iStorage surveys conducted at Infosecurity Europe between 2010 and 2012 revealed a growing percentage of respondents admitting to losing portable data storage devices containing personal or company data. In 2010, nearly a quarter (23 per cent) admitted to experiencing such a loss; this rose dramatically to over one-third (34 per cent) just two years later.
This alarming trend is further underlined by the fact a majority of IT professionals (54 per cent) that completed the survey at Infosecurity Europe 2012 carried unencrypted data on USB sticks and other portable storage devices.
Data protection and the law
Under the terms of the UK Data Protection Act 1998, organisations handling personal information about individuals have legal obligations to safeguard that data. The Information Commissioner's Office (ICO) recommends an array of security measures organisations should take, including the following for computer security, that organisations should "encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen".
This of course extends to personal and corporate data removed from internal servers or corporate data centres and stored onto portable hard drives, USB flash drives and optical media.
Three years ago the UK government gave the ICO the power to fine organisations guilty of serious data protection breaches with fines up to £500,000. Since then, it has fined a number of organisations and signed data protection undertakings with bodies across the private, public and third sectors, many as a result of lost or stolen unencrypted portable devices.
This caveat regarding the encryption of such devices is important, since data at rest on encrypted portable digital media will remain safe, even if lost or stolen.
Portable encryption and protection
The importance of using encrypted personal devices as a means of securing sensitive material cannot be underestimated, especially when organisations continue to ‘store' such data on paper or optical media. For instance, the ICO recently fined the Nursing and Midwifery Council £150,000 for losing three DVDs relating to a nurse's misconduct hearing.
It seems organisations are not taking the necessary precautions to protect sensitive information, something all the more inexcusable given the encrypted portable solutions available today.
There are, naturally, a number of encrypted devices on the market, but using products offering a strong combination of physical and digital security measures, from multi-digit pin access via onboard keypads to military grade real-time data encryption and anti-brute force hacking capabilities, deliver the most robust, 360-degree portable data security solutions.
Despite the ICO reprimanding and fining those guilty of serious data breaches through the misuse of portable storage, more could be done to reduce incidents of data at rest leakage. In addition to better levels of education and process training, organisations should introduce hardware encrypted portable devices into the workplace to ensure data remains inaccessible to unauthorised individuals even if hardware is lost or stolen from the organisation.
John Michael is CEO of iStorage
IStorage Limited is exhibiting at Infosecurity Europe 2013, held on 23rd – 25th April 2013 at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk.