Security risks of USB flash drives are ignored, says survey

The use of USB-connected devices such as memory keys and flash drives is rising in the workplace, and companies need to be aware of how easy it is for staff to use them, lose them or take competitive information away on them, says Pointsec.

An employee's iPod could be used to download large volumes of sensitive data from the corporate network or to introduce viruses, worms or other malware when transferring data from a home PC to a work PC.

The company also warns that if the devices are lost or stolen, vast amounts of valuable company information could seriously expose a company to extortion, digital identity fraud, or damage to its reputation.

Pointsec’s survey of 300 UKIT professionals found that on average 31% of employees within a company are using the devices in the office, while in a third of companies, removable media is being used without authorisation.

Two-thirds of IT professionals who used the devices at work admitted that they did not protect them with encryption even though they were aware of the associated dangers. In fact, 90% of those surveyed were aware of the potential danger presented by removable media, but 41% did not know how easy it is to protect the data contained on the devices.

“There seems little point in companies spending vast sums of money on information security if at the same time they’re letting their staff use these devices at work which allow them unhindered access to download vast quantities of sensitive company information,” said Martin Allen, Managing Director of Pointsec UK.

“Organisations need to introduce strict guidelines on the use of removable media devices in the workplace, as well as investing in encryption software which will allow administrators to force the encryption of all data put onto a mobile device,” he continued. “Using this type of software is just as vital and inexpensive as using anti-virus software, yet only a fraction of organisations have woken up to the problem.”

Pointsec recommends that companies:

• Deploy user mobile guidelines or ensure that your corporate IT security policy includes corporate directives that states the importance of proper handling of mobile devices such as removable media.
• Ensure that all members of staff are aware that their employment does not allow non-company devices to be used within the company network.
• Use encryption software which enables centralised policy enforcement of all data stored on mobile devices and removable media.
• Have methods in place that enable encrypted data to be decrypted in a controlled way outside the corporate network.
• Use policies to control the amount of login attempts that people may use to try and get at information they are not authorised to see.
• Have methods (independent of the end user) that enable decryption of all encrypted data within the company network.