As individuals and organizations digitize more data, they become more susceptible to major data breaches. Though convenient, inexpensive USB flash memory sticks and other portable storage devices certainly don't help the cause, beacuse workers use them transport databases and other confidential information. On top of the real danger of misused data, major data breaches also cause damaging negative publicity.\nIt may seem inherently complex, but securing portable storage devices is within reach for small businesses. Here's what organizations can do to secure their data.\nAbove All, Encrypt Your Data\nBefore discussing common methods of securing portable storage devices, it's worth highlighting an often-underappreciated advantage of encrypting data on portable storage devices. Specifically, properly encrypted data offers a safety net against potentially embarrassing or damaging data surfacing from storage devices that were discarded or sold off.\nMany businesses don't realize how easily deleted files can be retrieved with off-the-shelf recovery software from mechanical storage devices such as hard disk drives (HDD) or USB drives. Reconstituting previously encrypted data, on the other hand, is far more involved, as it that requires the original credentials or even a copy of the decryption key.\nFeature: 20 Security and Privacy Apps for Androids and iPhones\nAn encrypted storage device with a decryption key that's been erased, or one with a good authentication passphrase, offers a good safeguard against malicious data recovery. A thoroughly wiped or physically destroyed storage device remains the most secure defense against data leakage, though.\nWindows 7 and 8: BitLocker To Go\nFor Windows users, BitLocker To Go is the easiest way to encrypt an entire USB portable storage device. This capability, which first appeared with Windows 7, is initialized to at the disk-volume level of a removable storage drive. The drive's unencrypted content is password-protected, and data is automatically encrypted as it's copied over. For convenience, it's possible to enable auto-unlock, which lets a PC to store decrypted data from specific storage drives.\nThough BitLocker To Go volumes can be accessed by any versions of Windows 7 and later, you need Windows 7 Enterprise, Windows 7 Ultimate, Windows 8 Pro or Windows 8 Enterprise to initialize BitLocker To Go on storage drives. For Windows XP or Vista platforms, you can install a BitLocker To Go Reader application onto the target storage device during initialization; this app, available as a download, gives users password-protected, read-only access to encrypted data. Note that the reader app only work on storage devices formatted with the exFAT, FAT16 or FAT32 file systems.\nCommentary: Enterprise Version of Windows 8 Focuses on Security\nBusinesses already using the Domain system can set up a policy to enforce mandatory BitLocker protection before data can be copied onto removable drives, for example. Additional controls can cover password complexity or mandate the use of a smart card. Overall, BitLocker To Go is a robust encryption solution that offers a seamless experience for Windows-only organizations.\nWindows XP and Vista: Encrypting File System\nThe Encrypting File System (EFS) is another way to encrypt data on removable disk drive. Though it's been recently superseded by BitLocker on the hard disk drive and BitLocker To Go for portable storage devices, EFS has been around longer and works on older versions of Windows, including as XP Professional and Vista Business, Enterprise and Ultimate. Enabling EFS is as simple as choosing the "Encrypt contents to secure data" option under the General properties of a folder or file.\nOn the flip side, EFS has several obscure quirks can be tricky to understand for nontechnical users. The EFS certificate, for one, must first be exported to another computer before it can be accessed. Moreover, files copied into an EFS folder are automatically encrypted, but those that are moved are not. Moving or copying EFS files to a non-NTFS file system removes the encryption, though performing a system backup preserves it.\nMac: 256-bit AES Encryption\nOn the Mac, you can create a password-protected, encrypted disk image with up to 256-bit AES encryption on Mac OS 10.5 or later. (For older Mac OS versions, 128-bit encryption is available.) The resulting .dmg file can be mounted into the Finder for file access and will automatically expand as data is added. Most importantly, a disk image file behaves as a regular file and can be copied onto a portable storage device.\nThere's one major disadvantage of file-level encryption, though: Employees who are lazy or in a hurry can easily skip this step.\nDifferent Encryption Options With Third-Party Software\nFor a variety of reasons, your business may prefer third-party encryption software to platform-specific solutions. If that's the case, you have a few options.\n\nThe open source TrueCrypt, supported on Windows, Mac OS X and Linux platforms, can create encrypted disk images that mount as real disks. TrueCrypt will also encrypt entire partitions or storage devices.\nGNU Privacy Guard (GnuPG) is another popular tool. It supports Mac OS X, Linux, FreeBSD, NetBSD and Windows, though not the 64-bit version of Windows.\nBusinesses looking for simpler file encryption offerings often turn to strong AES encryption built into free file archival utilities such as the free 7-Zip and the commercial WinRAR.\n\nTips: Securing Data on All Devices\nSelf-Encrypting Hardware: Many Options, But Buyer Beware\nRecognizing that software encryption offerings aren't always convenient, security vendors are beginning to offer storage devices that don't require software.\nThe LOK-IT Secure Flash Drive, for example, uses a number pad for authentication\u2014the storage drive initializes and appear on the host computer as a normal drive only after a user keys in the correct passcode. Data is transparently decrypted and encrypted in real time as data is read or copied to it; unplugging the drive relocks it automatically. Other examples include the Aegis PadLock and the StarTech encrypted hard drive enclosure, which use LED lights and an OLED display, respectively, to signal their status.\nAs you will expect, hardware with built-in self-encryption costs more than standard non-encrypting hardware. That said, the software-free design does allow you to use self-encrypting hardware without taking a specific OS into account. Moreover, these devices stymie brute-force attacks by deleting the on-board decryption key after a predetermined number of errors, rendering the remaining data as nothing more than gibberish.\nBusinesses should know that not all self-encrypting hardware implementations are created equal. Some hardware encryption devices have been found to implement unreliable "pseudo encryption" or perform flawed password checking. There's often no easy way to separate fake products from the real McCoy, unfortunately, though it's safe to say that buying hardware at an overnight flea market or from a seller of unknown reputation on eBay is unlikely to be a wise choice.\nMixing Encryption Hardware and Software May Be Best Medicine\nFinally, numerous business-centric products use a mixture of proprietary encryption hardware and custom software. One, the Defender series of encrypted flash drives from Kanguru Solutions, is designed for use in both small businesses and enterprises.\nAs with the self-encrypting hardware mentioned above, data stored on Defender USB flash drives is automatically encrypted with 256-bit AES encryption. Instead of relying on a keypad, though, the Kanguru Defender uses a software client loaded on an unencrypted (and read-only) portion of the drive to request the user password. This is passed to the USB drive for on-device password matching, making it impossible to bypass the authentication process.\nInterop News: PayPal Says It's Time to Ditch Passwords and PINs\nThe software client serves a dual role, too, synchronizing with a backend server for the latest device policies such as password expiration, maximum number of password attempts and minimum password complexity. Policies that provide access to the Defender USB flash drive in the absence of Internet connectivity can also be configured.\nEncryption Strategy Not Always Ready to Wear\nDevice encryption, like all password-protected technology, comes with the unavoidable risk of users forgetting their passwords. In some cases, proper recovery-key management or a password-management tool can mitigate this. Along these lines, makes sure the encrypted data is never the sole copy of the information and that a secure back up is available elsewhere.\nThere's no doubt that the technology to secure portable storage devices already exists, though ease of use and cost can vary widely. BitLocker To Go is easy to implement, but it isn't suitable for mixed operating system environments. Self-encryption hardware may be more convenient and versatile, but it often comes at a steep per-device premium. Ultimately, businesses must explore the options carefully to determine the best solution for their needs, but the key is to not leave portable storage devices unprotected.\nPaul Mah is a freelance writer and blogger who lives in Singapore. Paul has worked a number of years in various capacities within the IT industry. Paul also enjoys tinkering with tech gadgets, smartphones and networking devices. You can reach Paul at firstname.lastname@example.org and follow him on Twitter at @paulmah.\nFollow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.