Minding the little-known pitfalls of data leakage

Corporate use of unprotected, or even software-encrypted portable storage devices, puts companies in a vulnerable position with regard to data loss.
Written by Paul Mah, Contributor

Data leakage resulting from lost or stolen laptops is something most of us are familiar with. Equally prevalent, but less spoken of, is data leakage which originates from misplaced data storage devices such as USB flash drives or portable hard disk drives. 

Of course, organizations are certainly not helpless when it comes to protecting data. Businesses can easily defend themselves on this front with highly affordable software encryption offerings such as BitLocker To Go--both the Enterprise and Ultimate versions for Windows--or the open source TrueCrypt encryption software. Some USB flash drives also come preloaded with proprietary software utility to encrypt data.

I asked Resham Ganglani, business development director of Halodata International, a company that specializes in data loss prevention (DLP), on his thoughts pertaining to software encryption.

"Software encryption is definitively better than no encryption," conceded Ganglani in an e-mail message.

But while recommending it for personal usage, he discouraged the use of software-based encryption for businesses. "[Software encryption] is too slow, dependent on installed software and in some cases, easy to crack. I definitely would not recommend it for corporate use."

An alternative to software encryption would be the use of portable storage devices with hardware encryption baked in. Many of these devices perform their data mangling transparently as information is copied onto them, often incorporating hardware for biometric or PIN-based authentication without having to use a host computer.The use of hardware encryption leaves no possibility of leaving files unprotected by mistake, or having employees skipping the software encryption process when in a hurry.

Of course, these do come at a price premium compared to unprotected portable storage devices. 

According to Ganglani, the new Personal Data Protection Act in Singapore regarding consumer data and the increased need for international compliance by multinational companies (MNCs) mean the days of standard portable storage devices may be numbered.

Personally, my concern relates to the robustness of hardware-encrypted storage devices, though devices armed with bogus or wrongly implemented hardware encryption no longer appears to be a problem. As such, it probably makes sense to either have them independently verified, or look to what government and MNCs are buying into. 

Regardless, the use of portable storage devices is just one façade of the data leakage protection issue, said Ganglani. He noted: "I think companies should invest in a good DLP solution which solves the DLP problem but also invest in portable, hardware-encrypted devices so as to boost efficiency and productivity but not sacrificing the security."

Editorial standards