Neutralising the USB threat to your business

As Heathrow Airport found out last year, lost or stolen USB drives can expose your organisation to substantial risks such as damage of reputation, loss of customers, or fines.

You can neutralise them by using Encrypted USB drives. Check out our infographic to understand some other quick actions you can take to secure your business from the potential damage that just one unencrypted USB drive can do.

 

 

How can encrypted USB help your business?

Kingston Technology’s encrypted USB drives provide the security needed to protect your confidential business data at all times; protect your organisation’s sensitive and business critical data by standardising on an encrypted Kingston DataTraveler or IronKey Flash drives.

With several models and capacities to choose from to suit all types and sizes of organisation, there’s always one that’s ideal for your company’s needs. Whether mobile data security is a priority, or you have to demonstrate compliance with data-at-rest directives, laws, standards or global regulations such as GDPR, Kingston’s encrypted USB drives are built for all scenarios. Check out this short video of the DTVP30 range to find out more.

 

How we can help

Complete IT Systems and Kingston Technology have the solutions, experience, accreditations and skills to provide your business with the security solutions you need. For more information call us on 01274 396 213 or contact us and we can call you back.

Could your company survive a six-figure fine for USB data breach?

Heathrow Airport received a £120,000 fine late last year for allowing a data breach by way of an un-encrypted USB stick being misplaced and falling into the hands of a national newspaper. The stick, which contained 76 folders and over 1,000 files, was not encrypted or password protected. “The stick held a training video containing […]

Continue reading

No-nonsense print security tips

Conversations about GDPR and print security can be pretty awkward, or at the very least a little uncomfortable. So let’s make this quick! The first perception is that GDPR compliance for businesses involves costly investment. But this does not necessarily have to be the case. And it certainly doesn’t have to be as clumsy and […]

Continue reading

Are your users using USBs to share company information?

USB sticks

The USB stick is one of those seemingly harmless plug-in accessories that we’ve all used for sharing files and for those last-minute meeting room nightmares when your colleague that was supposed to be presenting your team’s update can’t get online or connect to the projector!

USB sticks

Various incarnations, shapes and sizes of USB devices have been around for almost 20 years now, offering an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet.

Even though there’s cool new ways to share things online and via cloud apps, there’s no harm in your users keeping USB sticks ‘just in case’, right? Nowadays, cloud services such as Dropbox have taken on much of USB stick’s traditional workload in terms of file storage and transfer, and there is greater awareness of the security risks associated with USB devices. Because of this, USBs use as an essential business tool is declining – yet millions of USB devices are still produced and distributed annually, with many destined for use in homes, businesses and as marketing promotional items for trade show giveaways.

Is this scaremongering or is the risk of company data loss from USBs real?

99 times out of 100 probably not. But there’s always that risk as Heathrow Airport among many others have found out with its recent £120,000 fine from the ICO. While Heathrow largely ‘got away with that one’ from a hacking perspective at least, USBs have been exploited by cyberthreat actors, most famously by the Stuxnet worm in 2010, which used USB devices to inject malware into the network of an Iranian nuclear facility. And as well as the actual risk of company data loss, there’s also the reputational risk and financial damage of fines from regulations such as the GDPR.

We also understand that laptops, tablets, phones and other such portable endpoint devices with access to sensitive data will always be areas of potential data breach (we can help with those too…), but for the purposes of this article we’re singling out the poor USB!

What do the figures tell us?

In 2016, researchers from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds.

USB devices remain a target for cyberthreats. Kaspersky Lab data for 2017 shows that every 12 months or so, around one in four users worldwide is affected by a ‘local’ cyber incident. These are attacks detected directly on a user’s computer and include infections caused by removable media like USB devices.

This short report reviews the current cyberthreat landscape for removable media, particularly USBs, and provides advice and recommendations on protecting these little devices and the data they carry.

The overview is based on detections by Kaspersky Lab’s file protection technologies in the drive root of user computers, with a specific scan filter and other measures applied. It covers malware-class attacks only and does not include detections of potentially dangerous or unwanted programs such as adware or risk tools (programs that are not inherently malicious, but are used to hide files or terminate applications, etc. that could be used with malicious intent). The detection data is shared voluntarily by users via Kaspersky Security Network (KSN).

Key findings

  • USB devices and other removable media are being used to spread cryptocurrency mining software – and have been since at least 2015. Some victims were found to have been carrying the infection for years.
  • The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.
  • One in 10 of all users hit by removable media infections in 2018 was targeted with this crypto-miner (around 9.22%, up from 6.7% in 2017 and 4.2% in 2016).
  • Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.
  • The 2010 Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.
  • Emerging markets are the most vulnerable to malicious infection spread by removable media – with Asia, Africa and South America among the most affected – but isolated hits were also detected in countries in Europe and North America.
  • Dark Tequila, a complex banking malware reported on August 21, 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.

In our next article we’ll examine how the threat carried by USBs isn’t static, and hacks are unfortunately becoming more and more sophisticated.

Want to find out more?

As Kaspersky Platinum Partners, Complete IT Systems can offer you expert advice on the solutions and how they could be effectively deployed in your business.

To find out more please call us on 01274 396 213 or use our contact form and we’ll arrange a good time to call you back.

Could your company survive a six-figure fine for data breach?

Heathrow Airport received a £120,000 fine this week for allowing a data breach by way of an un-encrypted USB stick being misplaced and falling into the hands of a national newspaper.

The stick, which contained 76 folders and over 1,000 files was not encrypted or password protected.

“The stick held a training video containing names, dates of birth, vehicle registrations, nationality, passport numbers and expiry, roles, and mobile numbers of 10 individuals involved in a particular greeting party, and also details of between 12 and 50 (exact number unconfirmed) Heathrow aviation security personnel, ” the Information Commissioners Office (ICO) said in its penalty notice.

What did Heathrow get so wrong?

While it’s easy to say that it’s easy to lose a USB stick and that there’s little a company’s directors can do to mitigate such a data breach scenario, in issuing the fine, the ICO also pointed out that less than 2% of Heathrow’s 6,500 staff had even received data protection training.

Other concerns noted during the investigation included the widespread use of removable media in contravention of Heathrow’s own policies and guidance and ineffective controls preventing personal data from being downloaded onto unauthorised or unencrypted media.

This is despite the fact that most businesses now rely more and more on IT to support their activities, and this makes them increasingly vulnerable to threats from hackers, viruses and even from malicious or careless actions their own staff as in the Heathrow case.

How can you ensure your company does not fall victim to data breach?

Having the correct solutions, policies and training in place can make the difference between success and failure for your company – strong IT security has never been so crucial.

Information also needs to be protected if you share it with other organisations. For many businesses, the internet has replaced traditional paper-based methods of exchanging information. It can be sent and received faster, more frequently and in greater volume – but the internet in itself brings its own security issues which businesses must consider.

Having an effective IT security polity in place can help you control and secure information from malicious changes, deletions, data breach, or from unauthorised disclosure.

How we can help

Complete IT Systems has the experience, accreditations and skills to provide your business with the security solutions you need. For more information on how Complete IT Systems can help your business, call us on 0845 873 9631 or contact us and we can call you back.

References

Facebook Extends US Political Ad Ban For Another Month

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/10/heathrow-airport-limited-fined-120-000-for-serious-failings-in-its-data-protection-practices/

Microsoft solutions for GDPR compliance

As you have almost certainly heard by now, the GDPR regulations come into force this month.

The question for many business owners is how do you cut across the noise to implement to achieve GDPR compliance but keep your company running how you need it to at the same time?

Microsoft solutions can help your business with GDPR readiness, and as an accredited and specialised Microsoft partner, and Complete IT Systems can help you select and implement them.

Microsoft’s Office and Office 365 solutions have in-built industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Office and Office 365 can help you on your journey to reducing risks and achieving compliance with the GDPR.

One essential step to meeting the GDPR obligations is discovering and controlling what personal data you hold and where it resides. There are many Office 365 solutions that can help you identify or manage access to personal data:

  • Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and personally identifiable information. In addition, DLP allows businesses and organisations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
  • Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on, and take action to manage the lifecycle of the data that is most important to your organisation.
  • Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for Business, Skype for Business Online, and Exchange Online. In addition, powered by machine learning technologies, Office 365 Advanced eDiscovery can help you identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents.
  • Customer Lockbox for Office 365 can help you meet compliance obligations for explicit data access authorisation during service operations. When a Microsoft service engineer needs access to your data, access control is extended to you so that you can grant final approval for access. Actions taken are logged and accessible to you so that they can be audited.

Another core requirement of the GDPR is protecting personal data against security threats. Current Office 365 features that safeguard data and identify when a data breach occurs include:

  • Advanced Threat Protection in Exchange Online Protection helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email.
  • Threat Intelligence helps you proactively uncover and protect against advanced threats in Office 365. Deep insights into threats—provided by Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters—help you quickly and effectively enable alerts, dynamic policies, and security solutions.
  • Advanced Security Management enables you to identify high-risk and abnormal usage, alerting you to potential breaches. In addition, it allows you to set up activity policies to track and respond to high risk actions.
  • Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and investigation of security and compliance issues.

As Microsoft Gold Partners, Complete IT Systems can offer you expert advice on the solutions and how they could be effectively deployed in your business.

To find out more please call us on 01274 396 213 or use our contact form and we’ll arrange a good time to call you back. This handy infographic from Microsoft also outlines succinctly how its solutions can assist your organisation’s GDPR needs.