Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

USB sticks still being used insecurely, Ponemon study finds

Not enough encrypted drives despite numerous data breaches

USB sticks remain a big security weakness for many UK organisations with many employees using drives for data transport without permission and not bothering to report their loss, a Ponemon Institute study has found.

The study polled 451 IT staff in the UK from a global total of 2,942 on behalf of Kingston Technology, finding that 73 percent had experienced staff use of USB drives without authorisation, with 72 percent mentioning loss without notification in the last two years.

Only half of UK organisations employed some form of security policy or technology to these devices, and awareness of the risk posed by them was to be low in Britain compared to security-aware countries such as Germany.

Organisations were reluctant to enforce the use of secure drives, with 55 percent of workers using generic drives bought by themselves or picked up at conferences or trade shows.

"If you lose a laptop you can't do your work; if you lose a USB stick nobody will ever know about it," said Larry Ponemon of the Ponemon Institute. "To many people a USB stick is just a ubiquitous device."

In the last three years, cases publicised by Britain's Information Commissioner's Office (ICO) show that lost USB drives - very few of which ever employ encryption despite containing sensitive data - have become a major bane of the public sector.

Despite only scratching the surface of the problem, according to Ponemon, public 'naming and shaming' has been a major spur to change.

"Notification has been shown to be very effective in achieving a higher level of compliance," said Ponemon. "When it is made a reputation issue, organisations tend to pay attention to it."

Data isn't the only risk, with only 29 percent of those asked saying that their companies had systems in place to detect the malware that might creep into organisations via USB sticks.

Kingston recommends that organisations provide all employees handling sensitive data with encrypted drives, create policies for acceptable use, and employ asset tracking and recovery to manage their deployment.

An infographic summarising the UK findings can be found here.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ICO, Kingston, Kingston Technology, Technology
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Information Commissioner's Office, Kingston Technology, Ponemon Institute, security, storage
Latest Blog Posts
Whitepapers
  • Oracle SOA Suite – Oracle BPEL Process Manager
    Changing markets, increasing competitive pressures and evolving customer needs are placing greater pressure on IT to deliver greater flexibility and speed. In response to these challenges, leading companies are adopting Service-Oriented Architecture (SOA) as a means of delivering on these requirements by overcoming the complexity of their application and IT environments. Read on.
    Learn more »
  • Endpoint Buyers Guide
    It takes more than antivirus to stop today’s advanced threats. Protecting corporate assets requires a complete security solution that includes anti-malware, host-based intrusion prevention (HIPS), web protection, patch assessment, application and device control, network access control, data loss prevention, firewall and other capabilities. In short, you need an endpoint protection solution. We examine the top vendors according to market share and industry analysis: Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro. Each vendor’s solutions are evaluated according to: Product features and capabilities, Effectiveness, Performance, Usability, Data protection, and Technical support.
    Learn more »
  • Miercom Report - Plug and Play Switches
    Avaya engaged Miercom to evaluate the plug and play features and ease of configuration of the ERS 4548GT- PWR Edge Switch. The energy efficiency of the ERS was compared to similar switches and is discussed in this report as well. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.