Companies see risk of removable media but still turn a blind eye

According to a survey on “Removable Media in the Workplace” companies’ information security expenditure could still all be for nothing as they continue to turn a blind eye to the threat of removable media for a second year in a row. The research, conducted by mobile security specialists Pointsec, shows that removable media devices such as media players, memory sticks and USB flash drives are now routinely used by a huge number of employees in the vast majority of UK businesses, but with little regard to the security threat they pose.

A staggering two-thirds of IT professionals who use removable media themselves at work admitted that they did not protect them with encryption even though they are aware of the associated dangers.

Most IT security policies are written by the IT department and yet when quizzed on the security risks, 65% of IT professionals knew they were a potential security time-bomb and yet 66% admitted to neglecting to include mobile devices in their current security policies.

The survey highlights that a large number of organisations are yet to address the problem of removable media. With removable media plummeting in price, memory capacity soaring and more people using them at work, companies need to be aware of how easy it is for staff to use them, lose them or take competitive information away on them, all in the palm of their hands. If lost or stolen, vast amounts of valuable company information could seriously expose a company to extortion, digital identity fraud, or damage to their reputation, integrity and brand.

Some of the headline statistics from the survey, conducted amongst 248 IT professionals during Infosecurity Europe 2006, reveals that:

– Twelve percent of organizations ban the use of removable media devices in the workplace.
– On average 56% of employees are downloading corporate information onto their memory sticks, compared with 31% last year.
– Only around 21% of removable devices in the workplace are secured with passwords or encryption.
– 65% of those surveyed were aware of the potential danger that removable media presents.
– 4% of the IT professionals interviewed felt that the best form of defense against loss or theft was to keep the device in their pocket and one chap slept with his USB stick around his neck to keep it safe and sound!

The most popular use of memory sticks is to store corporate data such as contracts, proposals and other business documents with customer information coming in a close second. Twenty two percent used them to store their customers names and addresses, with others using them to store presentations, budgets and other documents. One respondent used his memory stick to store his hacking tools while 3% found them useful to store passwords and bank account details! Seventy percent used them for downloading music files.

Martin Allen, Managing Director of Pointsec UK said “It is no surprise that we’ve seen such an explosive use of removable media in the workplace as they are convenient, cheap and easy to use. However, if not properly managed and controlled they can become a potential security timebomb.”

“Our advice is to introduce strict guidelines on the use of removable media devices in the workplace, and invest in encryption software which will allow administrators to force the encryption of all data put onto a mobile device. Companies will soon realize that this type of software is just as vital and inexpensive as using anti-virus software.”

The proliferation of high capacity media players and USB flash drives on the market makes it possible to save anything up to 100GB’s of information on one. This means an employee could download 8 million documents of valuable data on what appears at first sight to be just an entertainment tool. USB pen drives and USB memory sticks can now store 8GB’s of memory which equates to around a million documents.

Preventing people bringing removable media devices into the office is an extremely difficult problem. However, although they are fun and convenient they are very easy to lose or abuse and therefore a real security threat. If companies are to prevent breaking legislation such as Sarbanes Oxley, Basel 2, The Data Protection Act, as well as not falling victim to the havoc these tiny portable devices can cause, companies need to rapidly get to grips with the risks associated with removable media and protect themselves against these risks.