IronKey

Mobile Data Security Blog

Home  »  Archive by category "Personal Information"

by

Keeping Patient and Hospital Information Safe

In September 2014, Forrester Research published a brief titled “Stolen and Lost Devices Are Putting Personal Healthcare Information at Risk”. Amongst the findings were two important trends:

Healthcare is becoming more mobile – approximately one-third of healthcare employees now work outside the office or clinic at least once a week.

Healthcare records are five times more likely to be lost due to device theft or accidental loss.

Today, personal healthcare information (PHI) records are more accessible than ever before. These PHI records contain important personal information such as social security numbers, medical history, and insurance information. Technological progression in the medical world is giving us advancements such as real time medical data on our smartphones and mobile messaging systems so hospital staff can get to patients faster. Although this progression is exciting, with all of this patient information floating around in technology, it makes it harder to keep our data safe.

With so much mobility, it’s not surprising that data protection has become a big problem. Mobile devices are simple to carry from one workplace to the next, but they can be easy to lose. To protect our data, we need a way to prevent unauthorized people from accessing the content of a lost or stolen device.

The solution is to use encrypted USB or external hard drives, such as the new IronKey™ S1000 3.0 USB. These secure storage devices combine encryption, which encodes data, making it unreadable to all but authorized users, with cloud-based management functionality that enables an organization to remotely wipe data from a device even if it is no longer in their possession.

Healthcare facilities need to address the realities of mobile work practices but they also need to protect the information in their care. The task is made a lot easier with a good device policy and the right tools.

by

The Age of Hacking

In today’s digital age, teaching children to code seems like a fantastic idea. Children are already spending huge amounts of time using technology, whether it’s a laptop, smartphone or tablet device and these IT skills can be essential in their future careers. However, whilst we must help a new generation of competent workers prepare for the digital world, how can we make sure that children will use their coding and programming skills for good and not evil?

Over the past years we’ve seen a number of technological innovations aimed at equipping children with basic programming and coding skills – from the Raspberry Pi to the recently launched Hackaball, a programmable ball aimed towards 6-10 year-old children. This demographic has been a key target for the UK government who have dominated the primary computing curriculum since September 2014.

However, with these skills being so easily transferrable to illegal activities such as hacking and cybercrime, how can we ensure that the lure of mischief, malice and money won’t sway children to ‘the dark side’? In January of this year, a seven-year-old girl hacked a public Wi-Fi network in just over ten minutes by learning how to set up a rogue access point to activate what is known as a ‘man in the middle’ attack. We know that this is already happening – hackers as young as 16 years old have been arrested for cybercrime, and the Home Office has warned that young video game hackers could be the next generation of cybercriminals.

So how can we tackle this? When it comes to children and young adults, the first place to start is at school and at home. Responsible adults, teachers and parents have a duty to ensure that their children, or pupils, are not engaging in criminal activity, and this is no different in the cyber world.

However, the problem we encounter here is the massive gulf between adults and children when it comes to understanding technology. An Ofcom survey released in August last year found that younger people have a far more advanced understanding of technology devices than adults – with 6 year olds having the same level of knowledge as the average 45 year old. In fact, teenagers aged between 14-19 years old are the most digitally confident in the UK.

If teachers and parents are to monitor and guide young people’s use of technology and make sure they’re not becoming involved in cybercrime, they must first be able to understand the technology themselves.

Secondly, we must consider the types of devices and technology that young people are using and put appropriate security measures in place to limit the possibility of malicious use. Technology like the Windows To Go USB Flash Drive would give young coders a replica desktop, just like the one they have at school, that they can take home and use on any device, without affecting or accessing the data and operating system sitting on that device. With a Windows To Go device it’s very easy to manage activity. The school can control the transfer of information and wipe, delete, monitor actions on the device, this way, the youngsters can hone their coding skills without being able to get in trouble by conducting activities outside the school’s remit.

What is clear is that we must not discourage children from learning these skills – they are absolutely essential for future employment and also play an important role in their everyday socialising with their peers. We must also accept that we cannot stop this evolution. Children are already learning these skills, with or without your knowledge and input, so the best we can do is to help shape that knowledge and put them on a good path.

by

Whistleblowers: Data Theft or Public Service?

A Perspective from the UK

Over the past few years there have been a number of high profile cases where whistleblowers have leaked information to the public, highlighting wrong-doing, corruption and malpractice amongst trusted institutions. Whilst some of these cases have clearly disclosed information that is in the public interest – for example the recent inquiry into the fatalities at Morecambe Bay Furness Hospital – other whistleblowers have disclosed sensitive corporate data leading some to question whether the information is truly in the public interest, or is in fact a data breach.  

What is clear, is that whistleblowing can have huge financial repercussions – in fact, The Pentagon has recently said that it may cost billions of dollars to overcome the damage to military security by Edward Snowden’s release of classified intelligence documents.

From a corporate perspective, unfounded whistleblowing is essentially another type of ‘insider threat’, and we know that this issue is climbing higher on the risk agenda for IT departments worldwide. Organisations must assess the threat that this form of data leakage can have on their business and put measures in place to protect their businesses.

Firstly, businesses can use an array of solutions to protect corporate data on computers, laptops, wireless networks and in the workplace. For organisations seeking extra security, an Enterprise Management System, with a command centre whereby device activity can be viewed from all over the world, provides a robust and highly secure solution. Data can be securely stored and if an employee fails to return to work, a device can be destroyed remotely.

There are however, many other complex regulations to consider when it comes to the issue of whistleblowing.

Under the Enterprise and Regulatory Reform Act 2013, whistleblowers have to show that they “reasonably believe” that the disclosure they are making is in the “public interest”. Unfortunately, what amounts to “public interest” is not defined in the legislation and it will be left to the courts and tribunals to lead the way with their interpretation.

The law states that an individual is permitted to declare information/whistleblow if someone’s health and safety is in danger, if there is damage to the environment, if the employer is committing a criminal offence, if the company is failing to honour legal obligations or if the company is covering up a wrongdoing.

Many of these exceptions will pose no threat to the everyday corporation, therefore the key threat is the possibility of an ex-employee sharing sensitive information.

Although the Data Protection Act gives businesses additional protection when private data is at stake, there is still a concern that ex-employees will speak out about historic events such as previous data breaches experienced whilst employed.

A ‘Compromise Agreement’ is becoming a common solution to the problem around employee trust. Organisations are adding a clause in contracts to ensure that all confidential information remains confidential, and employees are then prevented from making defamatory comments or disclosing sensitive information, even after they have left a company.

This month, Sir Robert Francis QC announced a ban on the ‘Compromise Agreement’ for hospital staff. In the health sector, where lives are at stake, it is clear that the act of whistleblowing must be protected.  Some incredibly shocking stories have been revealed highlighting horrendously poor care and unacceptably high mortality rates. This has of course had a positive outcome and forced trusts to introduce new regulations to improve patient care.

For the corporate world, however, whistleblowing poses quite a different risk and can cost organisations hundreds of thousands, or even millions of pounds to repair. Businesses must reduce this risk by protecting their data, which lives both inside the building and outside on employee mobile devices and in the cloud.  This way, they can put themselves one step ahead of the game.

Organisations need to ensure that they have permissions and privileged access in place to protect sensitive information to avoid the potential for these to be breached.

Businesses need to keep account of and collect any devices that may have been issued such as mobile phones; tablet, laptops, proprietary software or data, failing to do so could have detrimental repercussions.

Ensuring intellectual property and sensitive data remain secure is an on going challenge, and if businesses are failing to protect this information, the threat from whistleblowers will endure.

by

Introducing the Golden IronKey Program

The iconic IronKey flash drive is going GOLD to commemorate more than two million devices sold!

Leading enterprises and government agencies in more than 50 countries turn to IronKey to protect their invaluable data and secure their mobile workspaces.  To celebrate this milestone, we have launched the Golden IronKey Program to thank our largest and most loyal customers and channel champions.

The Golden IronKey drives are our new IronKey Basic S1000 USB 3.0 8GB high-performance, high-security drives encased in our traditional durable aluminum housing with an exclusive gold finish.  And we’ll be giving away 1,000 of these limited edition drives!

How can you get one of these Golden IronKey drives?

IronKey by Imation executives and employees will be giving these limited edition drives to select customers and partners.

IronKey customers can also receive a Golden IronKey by sharing your personal story about how our products are being used in your enterprise.   To go for the gold, all you need to do is answer the questions outlined in our submission criteria; which is really just the basics.  You can find the submission criteria on the Golden IronKey website page or download our submission guidelines.  Once completed, simply email your submission to goldenironkey@imation.com.

It’s rewarding to see customers around the world using IronKey to safeguard their mobile workforce and the data it depends on, no matter where it goes.

We invite you to join in on the conversation with #goldenironkey.

by

The Value of Encryption

With high profile security breaches such as the iCloud hack and the leak of celebrities’ private photographs hitting the headlines, the concern for the security of our own personal information and sensitive data is mounting. Apple’s response to the data breach was to increase the level of security following the incident with the introduction of default encryption on phones, demonstrating the importance of encryption as a safeguard to protect data.

Encryption is simply the translation of data into code, using a defined algorithm, and is considered one of the most effective means of ensuring data security. Access to encrypted files requires a key or password that enables you to decrypt it by restoring it to its original form. Whilst most data transmitted over a network is sent in clear text, by incorporating encryption algorithms, users can protect data and make sure that only the intended recipient can decode and read the information.

Although there are many different types of encryption, they all serve the same purpose: to keep our data protected and secure. Storing any sensitive information is inherently risky, but in order to do this effectively, action must be taken to reduce the risks of inappropriate disclosure.

Given that a large amount of data can be stored on USB’s, smartphones and tablets, there is a real danger that personal information could be compromised should such a device end up in the wrong hands. We recently published research which found that over one third of respondents would look at, or try to open/access a device if they found one , showing that even when mislaid devices are found by conscientious members of the public, the devices may be examined and opened.

The problem is that users want devices that are easy to manage, hassle-free and allow them to go about their lives securely. Measures such as optional encryption do not fit into this lifestyle. Users will not hunt down new security features, either because they don’t know they need them, or perhaps think they already have them.

Whether it is personal or corporate data, security needs to be a necessity, and users should be provided with everything they need to protect their intellectual property.

For businesses, encryption can be a simple and effective means to protect sensitive information. Being able to manage and track the encrypted data, knowing who has accessed it, from what location and on what devices that information resides is also essential.

A Windows To Go device is a securely encrypted, IT-managed USB drive that gives businesses control over what happens to sensitive data, and is easy to use. It contains a fully functional corporate Windows desktop. Employees insert the Microsoft certified USB drives into their home computers, hot desks, or tablets that feature USB ports, and they receive a secure desktop and secure access to all applications and data they use in an office setting.

Unlike a virtualised or online remote access solution, the portable workspace offers full host computer isolation, meaning documents cannot be saved to the host machine but are saved to the USB drive, which can be locked down and remote wiped if required, and all data will remain secure without the threat of a potential data breach.

Encryption is a valuable and essential tool for securing your data. Don’t give users the opportunity to be unprotected; security needs to be a default – not an option.

by

The Cost of Cybercrime

 

Hackers are holding the world to ransom with cyber-attacks costing the global economy more than £238 billion a year¹. These attacks damage the global economy almost as much as illegal drugs and piracy, with financial losses from cyber theft resulting in a potential 150,000 European job losses.¹ Cybercrime is a growing menace which is proving to be an ever growing challenge for individuals and businesses. US retailing giant Target saw its earnings drop 46% after an attack that leaked more than 40 million customer credit card details², whilst eBay and Office have also been ‘hit’ this year, with customer data compromised.

Despite these devastating implications, the public, corporates and their employees continue to be careless with their valuable and highly confidential data –residing on laptops, tablets and mobile devices. Cyber espionage and theft of individuals’ personal information is believed to have affected more than 800 million people during 2013¹, and our mobile working culture has made data security an even greater challenge.

With IDC estimating that over one million smartphones were shipped last year³, someone somewhere in your company is using a personal, mobile device to connect to a corporate network and download sensitive data – making your organization a sitting target for cybercriminals. Companies must equip their employees with the means to protect corporate data from threats such as identity theft and cyber espionage, whilst mitigating the dangers associated with unsecured devices and free Wi-Fi hotspots.

Mobile devices need to maintain the same high levels of security as office-based desktops and servers, with only IT provisioned laptops or tablets connected to corporate networks. But, the best way of ensuring hackers can’t gain access to your company data, is by storing all your data on a secure fully encrypted Windows To Go USB flash drive. It provides employees with an IT managed and provisioned Windows workspace that replicates their secure office desktop environment, on any device that the USB is plugged into. This also means IT departments do not need to deploy individual computers but rather can deploy the Windows To Go workspace on USB drives which saves time, resources and introduces vast cost savings.

Staff awareness plays a crucial role in protecting the company network against cybercrime. Often under-estimating the inherent security risks of using personal devices in the office, employees must be educated to handle these responsibly – on a proactive, ongoing basis rather than waiting until a security breach occurs, when it’s too late.

With so many high profile security breaches making the headlines, organizations want to know that corporate data is secure at all times, regardless of where it resides, whilst employees need the flexibility to work remotely. Cybercrime can have a devastating impact on your business in terms of cost and reputation. Your organization can’t afford to be tomorrow’s headline…

 

Sources:

¹McAfee report, June 2014 – Net Losses: Estimating the Global Cost of Cybercrime

² http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

³ International Data Corporation (IDC)Worldwide Quarterly Mobile Phone Tracker, Jan 2014

 

 

 


 

 

 

by

Travel Light and Secure

 

Hi, I’m Peter. I’m a Senior IT guy working for a big, growing enterprise.  I set the strategy and I’m responsible for the execution of IT infrastructure in my organization.   I need to worry about cost, security, and keeping my customers happy. We have pretty solid IT processes leveraging Microsoft tools, so I’m not about to set my IT team on some wild new solution that requires years to integrate. Recently, after a big meeting with the execs on cutting costs, I came across Windows to Go from Microsoft. Here is a solution that is secure, can save tons of money, make my customers happy, and fits into my IT workflow – Freakin’ SWEET!  My CISO stood up and applauded when I presented this to senior MGMT.  Needless to say I’ve become a big fan. In fact, they call me Windows To Go Guy around here. There are so many ways to apply this technology across my organization. I don’t get a commission on this stuff – I just love cool technology that makes sense. Here’s my blog entry:

Disclaimer: This blog is based on real Windows To Go ® use cases.  The character is fictitious to protect the names of our customers.  Any resemblance to actual customers is coincidental and not intentional.

I’m a Windows to Go guy. I carry my workspace around with me in my pocket, wherever I go. I don’t have to worry about hiding a laptop under the car seat. I don’t have to worry about it sliding off the seat during a sudden stop and I don’t need to try fit it under my coat during a sudden downpour.

One evening after work I had promised to stop at the local store to pick up some groceries. In line ahead of me were some military personnel dressed in camo. I noticed one person was carrying her laptop.
“Hey folks, I really appreciate what you guys do for our Country, but tell me, what’s with the laptop in the grocery store-are you expecting an email from the president?” I joked.

The corporal replied, “Military rules- laptops can’t leave our side. We even take them into the bathroom”.

“That stinks,” I replied.  “Let me show you something,” I replied. I whipped out my IronKey Workspace W500™, my PC on a Stick™ and explained that this was my laptop, FIPS secured against the worst imaginable attacker. It is virtually indestructible too, and I intentionally dropped it onto the hard tile floor to make my point.

“I have got to get my hands on one of those” she said.

“You are right about that, we can make your next bathroom or grocery stop a much more pleasant experience.” I replied.

by

Security Policies – The Importance of Getting It Right

 

Last month I was chatting with a journalist and he asked me what my top three security tips for an organisation would be. I started answering his question by saying that companies had to look beyond ‘good enough’ security, consider whether passwords in their current format were really secure, and just as I was about to deliver my third tip, I realised that these were all superseded by the need for a comprehensive security policy, which if approached correctly would address these points.

By comprehensive I don’t mean that companies need to create an enormous document with sub sections of sub sections. What I do mean is that any security policy needs to take into account new developments, disruptive technologies and the ongoing evolving, sophisticated nature of cyber attacks. A security policy cannot be a static document and yet all too often it is. Security is a constantly changing market and, as such, companies cannot afford to be complacent/fall behind.

Not sure? Well just think about the IT environment just five years ago. How we work, the devices we use and where we store content has all changed. Previously companies could be confident that sensitive data was stored only on PCs, but now that information sits on smartphones, laptops, tablets and cloud. The associated security risk is wide ranging. That’s why your security policy needs to be continually evolving – taking changes in working practices, not just the security landscape, into account.

Here are my top five tips for ensuring you create a robust security policy that, rather than gathering dust, provides tangible value to your business:

1. First of all, you need to ensure that you understand your business’s operating environment so that the policy effectively mitigates the threats and risks you face, as well as looking after the assets that you’re seeking to protect. Could lives be lost or just corporate data? Are you subject to the risk of corporate espionage and insider threats on top of cyber attacks? This might seem like an obvious point, but is often overlooked by companies. There is no one size fits all approach when it comes to formulating a security policy – it should be as unique as your business.

2. It’s unlikely that without the aid of metal detectors and full body searches you’ll be able to completely ban or prevent the use of portable storage devices within your organisation. Especially as more and more employees work from increasingly disparate and varying locations. Therefore, a key element of any security policy should seek to protect the data on those devices and state that only password protected USB devices should ever be used to store corporate data.

3. No computer or tablet that’s not ‘locked down’ by IT should ever be connected to the corporate network – either from inside (fixed line or wireless) or outside (VPN or VDI). Equally though, your security policy needs to actually enable your business. So, in order to ensure you can accomplish this without causing a lot of user frustration, consider allocating employees with a corporate computer for use inside the network and an IT secured USB device for outside.

4. Encrypt your data. Whether your data is in transit or at rest, encryption is absolutely critical to safeguarding confidential company information. Whether you use strong authentication or hardware encryption will very much depend on your organisation, but don’t make the mistake of thinking that encryption is a silver bullet. You need to be able to manage encrypted devices in order to ensure that if there are any concerns that data integrity has been compromised, it is possible to remotely wipe the device.

5. Human error is a huge potential vulnerability when it comes to security and your policy should seek to mitigate the risks associated with human nature. Passwords in their current format are inherently insecure, so don’t rely on them alone. Use multi-factor authentication such a voice, retina or biometrics – something unique to the individual. This might all sound a bit ‘Minority Report’ now, but in five years’ time, such implementations will be commonplace.

Does your organization have a comprehensive security policy in place?

by

Encryption and Management are the Keys to Securing the Mobile Workforce: Secure Mobility Face-off, Part 2

 

I’m perplexed. Why don’t more companies encrypt their employees’ sensitive data? There is no technology barrier and the cost is insignificant compared to the cost of a data breach.

In a world where a data breach can cause tens or hundreds of thousands of dollars in fines that are only magnified by negative publicity, why wouldn’t every organization simply enforce encryption on data at rest – in servers, on laptops, and on USB drives – as a basic standard for doing business?

The need for encryption everywhere is further magnified by BYOD. IT leaders are waking up to the opportunity to extend BYOD strategies to PCs using technology like Windows To Go to reduce costs and improve productivity.

With Windows To Go, users can now put their entire Windows 8.1 operating system with their applications on a certified Microsoft USB drive, e.g., your whole PC on a Stick ™. The drive should be encrypted and ideally hardware encrypted to protect your private files from both brute force and physical attacks.

Strong Mobile Device Security – Encryption + Management

But encryption only gets you so far. What if a formerly trusted employee walks off with their drive, or what if their password is compromised? As an IT customer at a university recently told us:

“An unmanaged USB is like a time bomb.”

Encryption and management go hand in hand. Management improves the user experience by automating authentication for lost passwords. Systems like IronKey Enterprise Management ™ allow devices to be tracked whenever they are plugged into an Internet-connected PC, and even enable remote kill commands, so that a lost device can be completely disabled from afar.

This capability means that in a BYOD scenario, a hardware encrypted, IT managed Windows To Go PC on a Stick actually offers greater security than the typical PC deployment!

If you want to learn more, see our latest whitepaper for an in-depth look at how organizations can use Windows To Go to empower and secure their mobile workforce.

 

 

by

Sochi Games and Windows To Go – BYOB — Bring Your Own Burner

With reporters just starting to show up at the Sochi Games, their horror stories are emerging on everything from yellow drinking water, poisoned dogs and roofless hotel rooms to a hacker heaven. Digital connectivity and security are going to be hot topics and major issues during the Games. The IronKey Workspace™ for Windows to Go, a PC on a Stick™, is a great solution for anyone traveling to Russia. Here’s why:

Russia has LAWFUL interception of ALL communications. There is ONE network, completely government controlled. What this means is, if you want to be online — unless you are working on a highly classified government network from your country of origin — you WILL be monitored and almost certainly hacked.

Even if you have a VPN, the Russian network will own your PC, your credentials, your certificates, etc. So you’re toast.

But you have to be connected and get work done. What do you do?

Take three things on your trip:

  • IronKey Workspace W500™ for Windows To Go, with your needed applications and public files. You can plug the Windows To Go drive into almost any computer, work solely from the USB stick and not leave a trace behind.
  • Laptop, with the hard drive either disabled or removed (just to be safe)
  • Burner cell phone – buy with cash.

The good news is you can be connected this way without digital harm. The bad news is that, while you’re in Russia, you’ll have to assume all of your communications are public and not secure.  But you can stay completely connected, be productive, and still be safe when you return home.

While in Russia, you can use Windows To Go in your laptop, do all your work with your regular applications and stay connected to home base. The Windows 8.1 operating system you load on Windows To Go must contain applications and files that are not sensitive, because once you log on to the network, you need to assume anyone can see them and know it’s you. Same thing with when you use your cell. Even burner cells can be traced and triangulated. Just ask the DEA.

Once you get home, have IT re-provision your Windows To Go device. Or do it yourself. Load up all your applications and files, including all the sensitive ones. Windows To Go can be used again, completely securely in other countries. You can use it with your regular laptop or the drive-less one you got for the trip. Destroy the cell just like in cop shows.

Bon voyage!

 

w500-sidebar