Top secret defence documents belonging to the commander of Australian operations in the Middle East stored on a USB drive went missing from the backpack of a military aide travelling on a commercial flight from Dubai to Pakistan.
It is believed the USB went missing after the flight arrived in Kuwait for a scheduled stop over. When the flight arrived in Islamabad it was disclosed by the commercial that a number of the checked in bags had been lost and it took several days for them to be all located.
The loss of the material was considered to be a major security incident by defence authorities and highly likely to be the product of a deliberate theft operation by undisclosed foreign agencies. The incident highlights the risks of transporting sensitive information stored on a USB drive without proper risk assessments or security protocols in place and being undertaken.
Australian Defence has declined to reveal what exactly what was on the drive but it appears that it did contain the emails of Major-General Cantwell and the aide, downloaded from the Defence Secret Computer Network. An intelligence source said the increasing use of powerful electronic storage devices to contain classified material has become a particular concern for governments worldwide.
Though your organisation may not have military secrets stored on devices or laptops, it is fair to state that they do contain information that would be of use to a competitor and the inadvertent leaking of information would harm your company. Some of the data may be commercially sensitive whilst others you are obligated to store securely such as names and addresses of clients, credit card numbers, financial information, medical information etc.
Prevention is far better than cure in this situation; in fact, once the data is loose on the web or being sold to other parties there is no real cure. Loss of client confidence and crippling costs to remedy the situation such as offering free credit check updates and cancelling accounts means that if this situation can be avoided, it should.
Therefore, it is recommended that a company or organisation should take at least the following steps in regards to information security for transported data:
- Conduct a risk review as to what type of company or organisation data is likely to be transported on a drive or laptop
- Draw up a security policy determining who should be authorised to transport sensitive data and what precautions must be taken
- Identify the individuals [salesmen, executives, managers] whom are most likely to be transporting the data – decide whether benefits outweigh risks of data loss
- Ensure that these individuals have been full briefed as to company security policies including complex password protection on all devices
- Prevent unauthorised personnel from being able to copy or duplicate sensitive data onto drives via IT protocols
- Consider having all data stored on external drives being encrypted using standard software such as True Crypt
- Consider having all laptops and smart phones link to servers via Citrix or VPN so that minimal data is stored on the device
- Create an emergency system to track any stolen or missing devices with a regular asset review to ensure all data is being maintained
- Implement a data clean up system so that all drives are sterilised when are no longer needed
Data loss can occur due to bad luck through to being the victim of a targeted operation by a third party. At best there is severe embarrassment but worst case scenario can lead to loss of clients and hefty fines from regulators. Creating an atmosphere of data protection among the organisation can go a long way to preventing such losses.
Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to firstname.lastname@example.org with your contact details and we will respond at once.