Internal cybersecurity awareness article. Links are not live, but originally went to documents on company intranet.
Call it The Curious Incident of the Dropped Data.
A pedestrian on a West London street noticed a USB drive dropped on the ground. When started up on a public library computer, it turned out to contain a treasure trove of Heathrow Airport security information, including
- patrol routes
- personal information for security workers
- routes and safeguards for Cabinet ministers and the Queen
- maps and identification requirements
- technical information on the airport’s ultrasound radar scanners
The person who found the drive took it to The Mirror newspaper and the case was a scandal, ultimately resulting in a fine of £120,000 (nearly $160,000 US) for airport management, which is scrambling to implement safeguards.
A lot went wrong here. While our company doesn’t manage Elizabeth II’s travel arrangements, the case offers some good lessons for keeping our company and client data secure.
- Small USB drives, or “thumb drives,” can be very convenient – and very dangerous. Airport management did not have policies governing their use. Our company does: Policy 39, which sets security standards for portable devices and removable media. Among other things, it requires you to encrypt restricted or confidential data before loading it onto a removable drive, and to report the loss or theft of any such drive immediately.
- Avoid using thumb drives at all. They can be used to spread malware – the passerby who found the Heathrow data could have started a virus attack by plugging the drive into the library machine. Instead, store and share your data in approved cloud drives such as OneDrive.
- If you must use a thumb drive, be sure to scan it for viruses, and encrypt your data before loading it onto the device. Then set a password on the device itself – a good difficult-to-guess password, not “USB123.”
- If a colleague wants to give you information on a thumb drive, say no! Ask them to send it in email (so that our company’s antivirus systems can scan it) or to share it as a link from a secure cloud drive.
One important gap found at Heathrow was in its employees’ security training and awareness. So just by reading this article, you’re helping to improve our defenses! Other steps to take:
- Join the Information Security Awareness group on Yammer.
- Follow the Information Security Awareness page on SharePoint.
- If you haven’t already done so, take the Security Awareness training.
And please, don’t pick up stray USB drives in the street!