iPods and other portable storage devices still a growing threat for data leakage

CREDANT Technologies released a survey of 323 directors, managers, CIOs, CEOS and others from the fields of IT, banking and finance, medicine, government, and education on the use of portable data storage devices including iPods, MP3 players, USB flash drives, and data-centric phones/SD cards in the workplace.  The objective of the survey was to find out if organizations are prepared for breaches from iPods, whose storage capacity reaches 80 gigabytes, as well as MP3 players and USB flash drives.

The survey found that although organizations see rapid growth in use of these portable storage devices, few have a solution to prevent widespread data loss via these easy-to-lose devices. In addition, CREDANT conducted a video survey of workers who use iPods in corporations throughout Silicon Valley, with the same sobering results.

Following are the top 5 key findings from CREDANT Technologies’ 2007 Survey on Portable Storage Devices:

” 86% of those polled cited the USB flash drive as the device most often used to store data exchanged between computers, data-centric smart phones with SD cards came in second.    But when asked to rank these devices as a source of data leakage, respondents thought the iPod was as much of a threat as the SD card/smart phone. 78% said the USB flash drive is the greatest threat to organizations, 13% chose the data-centric smart phone and, 10% said the iPod was the biggest threat to corporate data.  

” Adoption of the iPod at work is high, with 61% of respondents stating that they use their iPod when traveling or at work.  iPods are being brought into the work place by Generation X and Y employees (ages 18 – 40), the average age cited by 92% of respondents.  These generations have grown up with computers, and the transition from thinking of the iPod as simply an audio player will change quickly as more and more users consolidate storage devices and learn how easily an iPod or an MP3 player can be used to store large amounts of data. 

” There is a lack of understanding as to the threat iPod use poses to an organization. Widely used at work, their data leakage threat is not nearly as understood as that of the USB flash drive.  Although 61% of respondents had never heard of “pod slurping” (the downloading of corporate data to an iPod), 67% believe that iPods and similar devices are a threat now. Organizations are faced with the challenge of making sure that all data stored on iPods and other portable devices is secured because the issue of data privacy and the requirement to encrypt data applies to any platform or vehicle used to store personally identifiable data —and an 80 gigabyte iPod can hold a lot of data.

” Despite the fact that 67% of all respondents believe that iPods are a security threat today, 49% said they would not take any preventative action to protect against potential breaches until they know the devices are more widely used to store business data.

” Only 6% of all respondents have an encryption solution for data stored on iPods, and while 46% say they have a written security policy governing the use of iPods, 40% have done nothing.

Although survey respondents acknowledged that USB flash drives, iPods/MP3 players, and data-centric smart phones with SD cards are moving into the workplace and being used to store data, organizations are still reticence about securing these devices.  As enterprises, government agencies, schools, and hospitals look for a way to control data leakage from desktops, laptops, USB flash drives, and even iPods, there is a clear need to keep track and secure all devices that can carry data. Securing these devices not only helps an organization better manage its data assets, it also ensures that the organization has complied with government regulations if a device carrying corporate data, or a customer’s or patient’s identifying information vanishes.

Even the possibility that an employee’s lost device has leaked data such as Social Security numbers, addresses, medical histories or financial information is grounds for notification costs and financial penalties, and could cause a hailstorm of compliance issues and lawsuits. As in the VA case and others, an organization’s reputation and business are at stake.