Businesses Risk GDPR Fines Over Continued Use of Unencrypted USB Devices

Under GDPR, businesses must ensure that any personal data of EU residents that is collected or processed is protected against unauthorized access. If a data breach occurs that could have been prevented had reasonable steps been taken to protect personal data, the GDPR supervisory authority can issue severe fines. The maximum fine for a data breach is €20 million or 4% of global annual turnover, whichever is greater.

With the threat of substantial fines, most UK businesses have implemented appropriate safeguards; however, a recent survey conducted by ESET has revealed there is a major gap that is not being addressed: USB drives.

When USB drives are used to store or transport sensitive data, encryption should be used to protect against data leaks.  USB drives are small and, as such, are easily lost or stolen. The failure to encrypt sensitive data stored on USB drives could easily result in data loss. However, in the UK, 55% of businesses do not encrypt personal data on removable devices.

It has now been a year since GDPR came into effect, so it is worrying that so many companies are failing to address the security risks associated with USB drives. Without encryption, anyone could access sensitive data without the need for any security clearance.

When steps are taken to secure the devices, the most common measure implemented is the use of a password. However, passwords only offer a moderate level of protection and can easily be cracked.

Businesses may mistakenly believe that the risk of a data breach from a USB drive is negligible and certainly not worth the expense of encryption. However, the survey also revealed that employees are careless with USB devices. 62% of respondents said they had witnessed USB devices being left on desks in full view and in other exposed office spaces where the devices could easily be picked up by an employee or visitor and data could be accessed without permission.

To avoid costly GDPR fines, businesses should prohibit the use of USB devices and use other means to transfer data such as cloud services. If USB devices need to be used, they should be encrypted to ensure that only authorized individuals can access data and the devices are appropriately protected when taken off site.