Companies are increasingly encrypting laptop drives. USB flash drives, external drives, and memory cards - much less often. Yet these are the ones most frequently lost.

When a laptop goes missing, it is immediately clear that something happened. A USB flash drive falls out of a pocket in a taxi, is left in a USB port in a conference room, or gets lost in a bag. Often no one notices for a long time. And that small storage device may contain contracts, proposals, customers' personal data, project documentation, invoices - everything stored without any protection, because "it's just a USB flash drive".

Meanwhile, from an IT security perspective, an unencrypted USB flash drive with corporate data is exactly as dangerous as an unencrypted laptop. Whoever finds it plugs it into a computer and gets immediate access to all files. No password, no lock.

What a company loses when a storage device falls into unauthorized hands

A stolen or lost unencrypted storage device containing personal data is a data breach under GDPR. The company has 72 hours to report the incident to the UODO. However, the report itself is only a formality - the real risk is losing control over customer, employee, or partner data.

An encrypted storage device in the same situation does not pose a real threat. The finder sees an encrypted volume - without the key, it is a string of meaningless characters. In most cases, this removes the obligation to report a breach and - more importantly - the data remains secure.

How external storage encryption works

The mechanism is identical to laptop drive encryption. Data is encrypted and unreadable without the key - on any computer, regardless of the operating system.

In Windows, BitLocker To Go is used for this - a built-in feature, an extension of the same mechanism that protects system drives. An encrypted USB flash drive requests a password every time it is connected. Without it, the data is completely inaccessible.

For the user, the difference is minimal: they connect the device, enter the password, and work as usual. For the person who finds the device - the data is unreachable.

Manual encryption does not work in practice

One could say: let every employee encrypt storage devices themselves before saving data. In theory, simple. In practice - ineffective.

Manual encryption requires several additional steps every time. People are in a hurry, forget, and bypass procedures when deadlines are tight. One unencrypted storage device with customer data is enough for the company to face a serious problem.

The IT administrator sets a policy that blocks writing data to unencrypted external storage devices. An employee connects a regular USB flash drive - Windows refuses to write and prompts them to encrypt the device. There is no possibility of accidentally taking unprotected data out, regardless of whether the employee remembers the procedure or not.

Such a policy is deployed centrally through a device management system and applies to all employees at the same time.

Who is most at risk

Every company processes data that should not fall into unauthorized hands. But there are situations where the risk is particularly high: remote employees working outside the office, sales teams carrying proposals and price lists to clients, legal and accounting firms handling sensitive data, and design offices with documentation covered by NDA.

There is one common denominator: data leaves the controlled environment and travels with the employee. The more such situations there are, the greater the risk.

Is a USB flash drive needed at all

It is worth asking an earlier question: should employees use external storage devices at all to transfer corporate data?

In most cases, a USB flash drive can be replaced with secure file sharing via the corporate cloud - Microsoft 365, SharePoint, or Teams. Data does not leave the controlled environment, access is monitored, and change history is recorded. The risk of losing a physical device disappears.

How this looks at Helpwise IT

As part of workstation security configuration, we implement an external storage encryption policy - so that no employee can accidentally take out unprotected data. At the same time, we analyze where the use of external storage devices can be replaced with more secure cloud solutions.