Why and Where to Use an Encrypted USB Memory Stick?

The difference between an encrypted and unencrypted memory stick

An encrypted USB drive and a memory stick (also known as a USB flash drive) are both portable storage devices that use USB technology to transfer data between computers. However, there are some important differences between the two technologies.

  • Security: Encrypted USB drives offer greater security than memory sticks. Encrypted USB drives use encryption technology to protect the data stored on the device, so even if the device is lost or stolen, the data cannot be accessed without the encryption key. Memory sticks, on the other hand, typically do not offer built-in encryption, so the data on the device is vulnerable to unauthorised access. The wide availability of USB drives makes them attractive to hackers, and an ideal vehicle for introducing malware into a company from within its IT firewall. Many applications require the transfer or storage of a small volume of sensitive data; and commercial USB memory sticks (thumb drives), whilst convenient, are just not secure enough.
  • Capacity: Encrypted USB drives are available in a range of capacities, from a few gigabytes to several terabytes. Memory sticks are also available in a range of capacities, but generally have lower storage capacity than encrypted USB drives.
  • Speed: Encrypted USB drives and memory sticks both use USB technology to transfer data, but the speed of data transfer can vary depending on the specific device. Some encrypted USB drives may offer faster transfer speeds than memory sticks, but this will depend on the specific models being compared.

The consequences of failing to use an encrypted USB memory stick

The loss of an unencrypted device carrying sensitive data can have severe consequences. Accordingly, if sensitive data must be transferred by a portable / removable memory device, an encrypted USB memory stick is a sound choice.

Encrypted USB memory stickHowever, as the media often reports, sensitive and personal data is being transferred by unencrypted devices far more often than it should be. As a result of this, in the UK, the Information Commissioner’s Office (ICO) is regularly fining organisations that lose personal data (such as customer details, including bank details). The ICO, which is an executive non-departmental public body and is sponsored by the Department for Digital, Culture, Media & Sport, defines personal data as:

 

“…any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details.”

 

During the last decade, the ICO has fined several organisations for the loss of data stored digitally but not encrypted. For example, in 2017 Heathrow Airport Limited was fined £120,000 when a USB stick reportedly containing a training video that listed 10 individuals (including their dates of birth and passport numbers) and information about 50 aviation security personnel was lost. The loss only came to light when the stick was found by a citizen.

 

Also, and other sign of the times, many legal firms are now offering services tailored to support those who are the victims of data breaches. For example, LegalHelpLine.co.uk, a trading name of Velasco Limited (authorised and regulated by the Financial Conduct Authority and registered with the ICO), offers guidance on making bank data breach claims. Recent guidance says:

“A simple act of negligence on the part of a bank employee or data processor could expose your personal bank details to online criminals actively seeking opportunities to exploit them.”

 

Quick and Easy

Unless sensitive data is encrypted when being transferred, the convenience of USB sticks is also their Achilles Heel. They can easily be mislaid. Or they might be stolen if left unattended. But the potential impact of these eventualities can be removed through encryption.

 

File encryption is now built into popular operating systems. For example, in Windows it is called BitLocker. It first appeared in Windows Vista (2007) but was enhanced with new encryption algorithms in Windows 10.

 

There’s lots of information (including videos) online showing how to use BitLocker to encrypt a USB stick so we won’t repeat it here. One step-by-step guide we liked was posted by the University of Chichester and can be accessed here.

 

What we will say is that encryption takes just a few minutes depending on the capacity of the device and how much of it you want to encryption (just the used space or the whole drive including free space). Also created during the encryption is a recovery key. It is a 48-digit numerical password. It too can be used to open the drive. Understandably it is important to keep the recovery key in a safe place.

 

The encryption can be removed (BitLocker turned off) from the device at any time. As with encryption, the time taken to unencrypt will depend on the volume of data.

 

However, encrypting USB sticks relies on human intervention and the hope that employees remember to encrypt the device in the first instance.

 

There are several options available to companies to ensure encryption is not overlooked:Encrypted USB memory stick by Flexxon

 

 

 

  • Use a USB with a unique form factor that gives the added benefit of unique physical connection between the memory connector and memory stick and ensures that the information stored cannot be readily transferred to unauthorised PCs because they would lack the unique mating connectors.

Furthermore, a unique form factor such as RUGGEDrive™ receptacles help protect the user from viruses and other malicious files such as malware and Trojans. For instance, if a member of staff takes a document home using a USB or CD, the file can become infected on their private PC. When they return to work and plug the USB back into their work laptop, the virus is transferred into the company’s network. This situation is impossible to replicate with RUGGEDrive™.

 

A further benefit of these rugged, portable memory devices is their reliability; the receptacles are rated for 50,000 usage cycles. This is a distinct advantage over most consumer-grade USB and SD connectors which are only rated for 1,500 and 10,000 cycles respectively.

 

With so many options available to companies for securing personal data, there’s really no excuse for negligence.