Naive approach to risks posed by USB sticks, iPods and PDAs

65% of companies needlessly put themselves at risk because they underestimate the threat posed to their network’s security by USB sticks, flash drives, iPods and PDAs, research conducted among 370 UK companies shows.

The results of the survey, conducted by an independent media company, were announced today at InfoSecurity 2007 by GFI Software, an international developer of network security, content security and messaging software.

Although 49% of UK companies surveyed are concerned about data theft, 65% do not consider the use of these devices on their network to be a security threat. On the contrary, 71% are of the opinion that the use of portable storage devices is important or very important to the company’s operations.

Nearly half of the respondents said they had no clue how many employees were actually using USB sticks or iPods at the office, and while 37% said it was their company’s policy to monitor portable storage devices, only 22% had some form of hardware or software installed to control their usage on the network.

“The uncontrolled use of portable storage devices by employees is a very real threat to the security and stability of any business. Unfortunately, many businesses are unaware of or ignore the threat until something actually happens,” Andre Muscat, director, network security products at GFI Software explained.

Security companies have long been warning about the dangers of endpoint devices but recent breaches show that businesses have not learnt the lesson and they are increasingly putting themselves at risk by giving out such devices to employees and encouraging their use.

According to GFI’s research, 83 per cent of UK companies surveyed admit giving their employees USB sticks or PDAs, and that portable storage devices enabled mobile working (76%) and data sharing was made easier (61%).

Portable storage devices are a major threat if companies have no record of what files are being transferred from the network to the device and vice-versa. With only 29% actually logging what data is transferred to and from the network, companies are taking a very na?ve approach to this security threat. This was confirmed last February when IT consultancy NCC sent finance directors from 500 listed firms USB sticks forming part of an anonymous invitation saying ‘For Your Chance to Attend the Party of a Lifetime’. According to NCC nearly half of the finance directors and two-thirds of media companies inserted the unidentified memory stick into their computers. Although this was a harmless incident, it proves the point that it only takes one USB stick to upload a virus to a system and only one 4GB USB stick to copy all the company’s most sensitive commercial data.

“This is a growing problem for businesses and our research clearly shows that although companies are concerned about data theft, they must be made aware of the real threats and where they are coming from,” Mr. Muscat added.

While 99% of UK companies said they had anti-virus, anti-spam and firewalls installed, 78 per cent did nothing to control the use of portable storage devices and only nine per cent said they had other security measures or products in place.

“Insider threats are growing and companies need to be more aware of this threat because the repercussions can be enormous,” Mr. Muscat said.