Australia’s data loss prevention and encryption vendors will no doubt be salivating at the Defence’s confirmation that a USB stick allegedly found by a radio announcer on a Qantas flight does indeed contain Defence information.
The confirmation follows the announcement by a 2GB Radio Sydney announcer on 10 March 2011 that he was in possession of the USB stick, which was claimed to contain Defence classified information.
In a statement, Defence said it collected the USB stick on the same day, and assessed whether it did contain classified information. “Initial analysis indicates that the device does contain Defence information, none of which is highly classified and some which is unclassified and available over the internet,” the statement reads.
Defence did not comment on whether the data contained on the stick was encrypted or able to be copied.
According to Defence, the memory stick’s owner had been identified as a former Defence member and current contractor.
“Defence takes any compromise of its information seriously, and the circumstances surrounding the loss of the thumb drive are being investigated,” the statement reads.
Intelligent Business Research Services (IBRS) advisor, James Turner, said while the claims to possessing unclassified information on the USB stick could be exaggerated, the situation did show the need for organisations to utilise encryption, rather than data loss prevention.
“I'm presuming that the contractor was entitled to access the information they had on the USB key so DLP would have wished him a cheery safe trip and done nothing to stop the data being ported on to a USB key,” he said.
“This is the same scenario that a number of our clients have been looking at and a common conclusion, and certainly one that I recommend, is enforcing USB encryption.
“Security should support the staff in what they are authorised to do and if that includes copying data onto a USB key and getting on a Qantas plane then so be it.”
The incident was a good reminder for other organisations to revisit security policies, examine how they would manage the loss of a USB stick and understand what sorts of data was presently on staff USB sticks, Turner said.
“For most organisations, I bet they wouldn't know [what is on staff USB sticks],” he said. “Partially because they wouldn't have sufficient logging to know where the data had moved and partially because the staff would be too embarrassed to report the loss internally."
Follow Tim Lohman on Twitter: @TLohman
Follow Computerworld Australia on Twitter: @ComputerworldAU