How to improve the security of external drives and USBs

Vassen Naicker, WD product specialist at DCC

Unlike laptops or desktops, external drives and USBs carrying company information are often overlooked when it comes to data protection, says Vassen Naicker, Western Digital Product Specialist at distributor Drive Control Corporation (DCC).

The sheer volume of data that USBs and external drives can carry boggles the mind. A few years ago, the ability of a tiny device, no bigger than your thumb, storing 32 Gigabytes (GB) of data would have been unimaginable. Moreover, who would have thought a mobile external hard drive would enable you to store 2 Terabytes (TB) of information, readily available anywhere, anytime.

However, with these considerable strides made in storage also comes due diligence, if you will. Unfortunately, mobile storage equals security vulnerability. If your USB or external drives falls into the wrong hands – accidentally or maliciously – you can expose valuable and sensitive company information that can wreak havoc for months to come.

The reality is USBs and external drives fall outside the normal ICT security perimeter. People become complacent and as a result you will often find that these devices aren’t even password protected, let alone run any form of security software.

We have over the years focused all our security efforts on fortifying our security posture, which includes desktops and laptops, but have forgotten one critical element of it – those little devices that connect to these information enablers and store their data – even if it is only temporarily.

In 2008, the U.S. army learnt a costly lesson when the media reported that flash drives carrying information on Afghan spies were on sale for $40 a device. And to add insult to injury, that same year a worm which spread by copying itself to USBs infiltrated US Army networks.

And it happens in a flash, if you’d excuse the pun. We’ve all left our keys lying around, accidentally lost a pen or even misplaced a purse. The same can happen to your USB or external drive. Its convenience comes a quite cost and that is why you should remain vigilant; smaller definitely doesn’t mean safer.

So what is the answer? Surely you can’t prevent staff from using USBs or external drives; they are invaluable tools in a time of explosive data growth.

First and foremost create that sense of responsibility; continue to proactively communicate the dire consequences of USBs and external drives falling into the wrong hands. Security begins and ends with all the devices you use – it’s not limited to a notebook or desktop.

Second, arm your devices with latest security. External drives and USBs now feature 256-bit AES hardware encryption and password protection that go very far in protecting these devices against preying eyes.

256-bit encryption, for example, transcends software protection. When your data is encrypted, it is scrambled into a bunch of meaningless data-only your password key can unscramble it back to its original form. During the process of encrypting, software encryption exposes the key to the computer since the software has to work with the computer’s resources.

This means that there are ways to recover this information and determine the password for the device. However, with hardware encryption the password key is unique to the computer – it is only seen by the encryption chip that the data passes through inside the device.

Furthermore, data encrypted using software encryption is stored as a file on the device. Although this file is encrypted and cannot be accessed without a password, it is visible for all users to see.

Again, a hacker could copy this file onto their own computer and subject it to a wide array of attacks with hopes of cracking the password. You will not be able to see the data on a hardware encrypted flash drive without first entering the password. This makes any type of offline attack extremely difficult to execute.

By opting for devices which offer 256-bit hardware encryption and additional password measures you’re arming your organization and workforce against malicious attacks, plus you can continue to use these devices that are both extremely mobile and store loads of information.