USB drive image by Brina Blum on unsplash.com

Last week, we saw an unexpected headline in the cybersecurity world. It’s one that some of us weren’t expecting in a year marked by high-profile software vulnerabilities: a single, missing USB drive containing information on the citizens of a town of nearly a half-million people, Amagasaki, Japan. All of them, according to reports. 

Here are some of the facts of the story, first published by NHK World in Japan, a public broadcaster similar to PBS or BBC: “One of the company’s employees lost the USB on Tuesday. It had data on the names, addresses and dates of birth for all the city’s residents, as well as how much local taxes they had paid and information on welfare benefits. The company explained that the employee had drinks after work and later fell asleep on the street, but when he woke up he realized that he had lost the bag containing the USB,” the broadcaster reported. 

The man later found the USB drive after contacting police. It’s unclear if anybody had accessed the drive. To be clear: the incident was reported as having the potential for data loss, a requirement of many employees who handle sensitive data.  

USB drives haven’t been in the news for security incidents like this recently, because in many ways, using them has become outdated. Particularly because of the risky nature of transferring malicious software using USB sticks, and the easier, more cost effective and more controllable environments offered by cloud providers, many organizations — public and private — have banned their use entirely.

For example, staff at IBM have recently been told that they are no longer allowed to use removable memory devices such as USB sticks, SD cards and flash drives.  According to media reports, the possibility of “financial and reputational” damage if staff loses or misuses the devices prompted the decision. IBM employees who need to move data around are reportedly now being encouraged to do so via an internal network. The decree banning removable storage acknowledges that complying with it could be “disruptive.”

But that doesn’t mean employees with broad access to personal information like this don’t have that information stored on other devices that can be also be lost or stolen. Tablets, phones, watches, whatever transmits valuable intellectual property of any kind can be accessed by a committed cyber thief. 

Companies can certainly make a contribution to their security posture by banning or significantly controlling USB drives allowed on their networks. But the forward-looking lesson in the Japanese incident is that hardened defenses in cloud and software may leave some unchecked or overlooked vulnerabilities in hardware, especially in this age of the internet of things. Strong asset controls and risk-ranking of data can help mitigate these problems. 

Protecting data on discarded hardware and data-bearing devices — USB drives, included — is too often overlooked.

For environmental, regulatory and sustainability purposes, these devices must be responsibly recycled. When that happens, part of the process should always include complete, physical data destruction. Guaranteed data destruction is key. Some companies believe their data is being wiped when they drop devices off for recycling and that is not always the case.

Also, unethical and illegal shipping of e-waste abroad is an additional layer to the hardware security issue because it leads to the wholesale liquidation of our national security and the privacy of the corporations and individuals of the United States.  Recycling these devices is important, but it must be done the right way. Make sure your e-waste recycler is NAID certified, for starters.  

---

Kate Fazzini is Director of Security Operations and Engineering at Ziff Davis; an adjunct professor of cybersecurity at Georgetown University; author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.

John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s new book, The Insecurity of Everything.