USB sticks still being used insecurely, Ponemon study finds
- 27 November, 2011 01:42
USB sticks remain a big security weakness for many UK organisations with many employees using drives for data transport without permission and not bothering to report their loss, a Ponemon Institute study has found.
The study polled 451 IT staff in the UK from a global total of 2,942 on behalf of Kingston Technology, finding that 73 percent had experienced staff use of USB drives without authorisation, with 72 percent mentioning loss without notification in the last two years.
Only half of UK organisations employed some form of security policy or technology to these devices, and awareness of the risk posed by them was to be low in Britain compared to security-aware countries such as Germany.
Organisations were reluctant to enforce the use of secure drives, with 55 percent of workers using generic drives bought by themselves or picked up at conferences or trade shows.
"If you lose a laptop you can't do your work; if you lose a USB stick nobody will ever know about it," said Larry Ponemon of the Ponemon Institute. "To many people a USB stick is just a ubiquitous device."
In the last three years, cases publicised by Britain's Information Commissioner's Office (ICO) show that lost USB drives - very few of which ever employ encryption despite containing sensitive data - have become a major bane of the public sector.
Despite only scratching the surface of the problem, according to Ponemon, public 'naming and shaming' has been a major spur to change.
"Notification has been shown to be very effective in achieving a higher level of compliance," said Ponemon. "When it is made a reputation issue, organisations tend to pay attention to it."
Data isn't the only risk, with only 29 percent of those asked saying that their companies had systems in place to detect the malware that might creep into organisations via USB sticks.
Kingston recommends that organisations provide all employees handling sensitive data with encrypted drives, create policies for acceptable use, and employ asset tracking and recovery to manage their deployment.
An infographic summarising the UK findings can be found here.