There’s a material that can cost up to £10,000 a gram, yet you’ll find it in most homes and every office. It’s not an illegal drug, nor is it a precious metal. It’s a humble USB stick and, in spite of this astronomical price tag, that’s not all that it could cost.
Flash drives are the perfect portable storage medium. They typically weigh about 10-12 grams and can store up to 256GB of data — and often more. This makes them eminently easy to lose or steal, while their huge storage capacity means that a misplaced USB can have devastating, ruinous consequences for its owner.
Heathrow Airport found this out the hard way when it lost a flash drive containing sensitive personal information of up to 50 security workers, as well as a training video that exposed the names, dates of birth and passport numbers of a further ten. The loss of this little data stick cost Heathrow a cool £120,000 fine from the Information Commissioner’s Office, proving that data really is worth more than its weight in gold.
In the cyber security age, has physical security become an after thought?
Time to take physical security seriously
Significant as fines for data loss incidents can be — up to 4% of turnover in the case of GDPR — it’s arguable that the reputational damage from a major breach is even worse. So why are businesses not doing more to protect the physical security of corporate devices?
For all the money spent on antivirus, threat detection, encryption and other logical security measures, physical protection remains the Cinderella of cyber security. No-one denies that it’s important to protect corporate networks and endpoints from unauthorised access, but why do so few organisations take the necessary steps to prevent device theft or “shoulder surfers” who need nothing but good eyesight to read sensitive data off the screen?
In 2018 businesses spent almost $100 billion on information security, even though the proportion of global firms that experienced breaches rose in the same year. It’s not that businesses are wrong to invest in logical security systems – far from it. It’s rather that many are neglecting some very simple and highly affordable measures that would have a major impact on their ability to protect against data breaches.
Security lockdown: cloud and physical worlds converge
Light fingers and prying eyes
Perhaps it’s no surprise that physical safeguards are taken far less seriously than logical security. Invisible threats seem more insidious and mysterious — the mystique of a North Korean hacker stirs the imagination far more than a light-fingered thief or a snooping shoulder surfer on public transport.
But no less an authority than the FBI cites laptop theft as one of the world’s top three computer crimes. Meanwhile the cost of letting someone read sensitive information off your screen — perhaps a rival from a competitor company sitting behind you in Business Class — is impossible to quantify.
Businesses need to teach their employees to take better care of sensitive data when they’re on the move. This is a matter of education, of course, but will also involve a small outlay on physical security devices.
Organisations can also help their employees to guard against hardware theft by issuing them with cable locks to be used whenever they are away from their device for more than a few seconds. It’s astonishing that we seem to take more care of an old bicycle than we do for a device that may cost several thousand pounds and which could contain data worth immeasurably more.
Of course, these physical measures must be accompanied by employee education so that every business traveller is aware of the potential threats to corporate data and the consequences of a breach. Using something like privacy screens and cable locks needs to become second nature, not a behaviour that’s only learned after they’ve been successfully targeted by a criminal.
Compared to the consequences of an easily-preventable breach, however, the amount of time and money needed to make a real difference to security is negligible. When data is worth far more than gold, it makes sense to treat it accordingly.