“Organisations do not understand the risks they face because of employee negligence but are not taking the necessary steps to secure USB drives.”
This forms part of the introduction to the findings of the UK part of the survey by the Ponemon Institute on behalf of Kingston Technologies.
The results of the survey show the level of UK organisations negligently inactive when it comes to unauthorised use of USB devices. With a shocking 73% of those surveyed reporting within their organisations, employees using USB’s without obtaining permission and 72% said that data breaches had been caused by sensitive or confidential data on USBs being lost.
These results come as no surprise to many of us, the amount of stories we all read on a weekly basis about data sticks being lost, laptops being lost, or discs being left in taxis etc.is large.
The surprising thing in many ways is that despite these incidents, organisations are still uncontrolled USBs to become prevalent – picked up at trade fairs and expos, the survey said 55% – I suspect this is actually much higher. And so business is relying on the common sense and integrity of its employees to use the devices sensibly. In fact, the sensible thing to do is have a policy, implement and educate in to your staff.
The survey shows a disappointing 32% has policy and controls in place to stop or limit employees misuse of USBs in the workplace. and 29% the technology to prevent or detect a virus or malware on USB drives before use by employees. Some organisations, as we know will create policy and then not educate it in to their people, lip service to a policy never works, hence the 73% of respondents having lost sensitive data.
We have said it before and will say it again, assess the risks (ask for help if you need to), design the policy and procedures (ask for help if you need to) implement and check it works, then educate it in.
From the report:
The following are 10 USB security practices that many organizations in this study do not
1. Providing employees with approved, quality USB drives for use in the workplace.
2. Creating policies and training programs that define acceptable and unacceptable uses of
3. Making sure employees who have access to sensitive and confidential data only use secure
4. Determining USB drive reliability and integrity before purchase by confirming compliance with
leading security standards and ensuring that there is no malicious code on these tools.
5. Deploying encryption for data stored on the USB drive.
6. Monitoring and tracking USB drives as part of asset management procedures.
7. Scanning devices for virus or malware infections.
8. Using passwords or locks.
9. Encrypting sensitive data on USB drives.
10. Deploying procedures to recover lost USB drives.