Well if IronKey Dave is going to plug his wares, above, then why not..

If you're interested in additional secure flash drive options check out Kanguru Solution's Defender Elite products. We use on-chip password matching and 256bit AES(CBC) hardware encryption. The drive can be remotely administered and deleted per my other post via our KRMC web-based administration console. Please don't let the Sandisk products give our industry a bad name

http://shop.kanguru.com/index.php/flash-drives/secure-storage/kanguru-defender-elite http://shop.kanguru.com/index.php/krmc

Of course. If Joe were to drop his flash drive during his travels, someone who finds it will have to subvert the encryption and authentication to get to his unencrypted data.

Now, if you are alluding to Joe stealing this data, then that is a different attack vector. The inside threat. For threats like these you not only need encrypted storage, but centralized management of said storage. There are products available that can issue remote destruction commands to the flash drive, or prevent its use outside of a specific network for example.

As someone who works in the secure flash drive space, maybe I can shed a little light on some questions/comments I see above..

First and foremost the vulnerability described in this article is related to only the secure flash drives stated in TFA. There are several others available that do not have this vulnerability because instead of password matching in software, they match in Hardware of Firmware, run on the drive itself. Are there others within the industry that may be susceptible? Probably, but all secure flash drives certainly are not. Look to only use drives with password matching done on-chip (HW/FW).

How could a FIPS 140-2 certified flash drive have this vulnerability? Well FIPS is great to prove you use certified encryption algorithms, authentication methods, and so on, but FIPS does not certify the whole system. This is one of those very important security areas that fall outside of the FIPS umbrella. In the future look for additional certifications that will encompass the entire system rather than just the encryption like FIPS..

Why not just use TrueCrypt?? TrueCrypt is a great product, there is no doubt. But at its core, TrueCrypt is a software encryption container for your data. There are some inherent shortcomings with software encryption on USB flash drives.
1. Performance is sacrificed since your PC CPU needs to perform all security operations in software, rather than on the hardware of the flash drive.
2. Though it may work well for consumers that *want* to have their data secure, TrueCrypt would be a nightmare in an enterprise setting. Users could format the drive, or store files outside of the encrypted partition just to make things easier. This is not possible on secure flash drives with forced data encryption via hardware. with these drives an Admin knows that if he sees a drive by company X, that the data on it must be secure. Just to name a couple..

I hope this is helpful to some.

At my place of work (also a small business), we use a cloud based solution called Clarizen. It's highly functional and easy to use. It's also less expensive than most competitors. We tried MS project and had similar results where it caused more trouble than the benefits it produced. I know you didn't want cloud but my reasoning was that if this company was to leak proprietary info in any way, they would go down in flames. Also they agreed to sign an NDA with us so there are legal ramifications of doing so as well. I'd reconsider the cloud if I were you. Many of these solutions provide trials so you can check it out before you buy and it will be less time for you to manage the infrastructure as well since you are a one-man band over there.

mpapet is correct. I work on the development team of a company that manufactures Biometric USB drives. there are many many low-end drives on the market that, as this article states, are not secure at all. You can use the attack they speak of or attack the flash chip directly in most cases. There are a few quality products on the market, including our own, that do use strong security principals to make sure attacks like these are not possible. To say that these issues effect all biometric USB devices, and that they should not be used, is simply false.