IT departments blissfully unaware of flash drive security risks
Users run amok
COMPANIES are unaware of the extent to which unsecured flash drives are used in their organisations, claims a new survey.
77 per cent of corporate end users use personal flash drives for work-related purposes, but, when asked to estimate what percentage of the workforce uses personal flash drives, corporate IT respondents reckoned only 35 per cent.
Storage outfit Sandisk phoned users across the US and discovered that people used flash drives to hold customer records (25 per cent), financial information (17 per cent), business plans (15 per cent), employee records (13 per cent), marketing plans (13 per cent), intellectual property (6 per cent), and source code (6 per cent).
The survey suggests that the portability of USB flash drives presents a significant risk of data loss.
Approximately one in ten (12 per cent) of corporate end users reported finding a flash drive in a public place. And when asked to pick the three most likely actions they would take if they found a flash drive in a public place, 55 per cent said they would check out what was on it.
“Most CIOs are aware that data leaks can result in identity theft, compromise of intellectual property, and loss of trade secrets, as well as significant PR and financial damage to organizations,” says Gil Mildworth, Senior Director of Marketing for SanDisk’s Enterprise Division.
“Our survey demonstrates that, while there is some awareness of potential risks involved with unsecured USB flash drives, corporate IT execs need more effective policies, education, and technology solutions in order to mitigate the risks. Only a top-down effort involving intelligent device management, data monitoring, and centralised policy enforcement will sufficiently reduce risks."
Almost half (44 per cent) of end users revealed that, to their knowledge, their organisation did not have a policy forbidding the copying of corporate data on personal USB flash drives. Some 41 per cent of corporate IT managers report they are at least 'somewhat uncomfortable' with the level of USB flash drive usage in their organisations, revealing a significant level of potential risk.
Corporate end users validated their concerns by reporting that one out of every five have little or no awareness about the risks involved with transporting corporate data on flash drives (21 per cent), revealing a significant potential for data loss. µ
Comments
Back to the Personal Computer
I find it hard to get upset about lapses in the iron grip some firms try to apply to their employee's computing.In the early eighties it was a handful of hifi and similar tech buffs who introduced personal computers into workplaces like ad agencies (often spending £thous of our own money and ridiculed by fellow workers). Soon as management caught on to computing they reduced "personal" computer users to drones on a network, disabling floppy drives etc.
Fortunately, the human spirit (and technology) knows no such bounds.
Long Live the Floppy!
All hail the Floppy! Another reason to bring them back. Oh wait... usb drives are essentially floppies. Isn't it amazing how when a technology changes form it instantly becomes a security risk? Riskophiles go the hell away and let us get our work done!Secure is good
I recently did an evaluation of secure flash drives for a company I work for. It is a VERY secure environment.Although there are a few out there I ended up choosing Trek with AES hardware encryption. It is the only one that works on Windows, Mac and Linux, and requires no local admin rights or special drivers.
I have one for myself now too.
It's a new product for them and you might have to call to order it if you can't get it from a vendor easily.
"I hate Careless Men" -- Marylin Monroe
Working in a Bank, in a country with heavy banking secrecy policy, it's absolutely forbidden to use flash drive.USB / serial ports are soft-blocked. One office is dedicated to i/o of data, on multiple formats or even downloading certain files (.exe)
Our laptops are encrypted and have an access password.
The user is often complaining about these drastic measures, but I think it's the less you can do to be secure...
People just don't care
I've tried to get people in business interested in security for decades. They just don't care. Not the managers. Not the IT staff. Nobody.I was recently contacted by a business to help them deploy a new CRM package. I tried to get them interested in including some very simple and easy to use security measures such as encrypting data on disk and using Microsoft NTLM to control access to the data files. They don't want to do any of it even though it wouldn't cost much to implement. (I planned to use True Crypt on the disks and Linux + Samba to implement NTLM domain security. This would be put on their data server while also running Windows as a virtual machine client via Virtual Box. No extra hardware and the software is free.) They don't want to hear about it. They are using Windows 98 with workgroup shares with no access restrictions on the shares. Amazing.
It's like that everywhere I go. I talk about identity theft and their potential liability. They don't care. I talk about their moral responsibility to protect their clients. They don't care.
As I've said for decades, people are a**holes.
Its not we are unaware
It's that we just want to close our eyes and pretend its not happening, it's an extremely difficult problem to prevent, users want quick and easy thumb drive usage, and want to use their own thumb drives, so protecting the data becomes hard.Vista has some thumb drive controlling facilities AFAIK, I've not used them but I saw a microsoft demonstration of them upon vistas release, I haven't heard anything since though.
Rod
http://roddotnet.blogspot.com
Ya Think?
"77 per cent of corporate end users use personal flash drives for work-related purposes, but, when asked to estimate what percentage of the workforce uses personal flash drives, corporate IT respondents reckoned only 35 per cent."Really? 77 percent of people who use PC's in a corporate environment are bringing their flash disks in? So 77% of corporate users have flash readers AND know that they can bring their flash disks to work? And what percent are only using flash to upload images from their camera? The security risks there lay only in those with infected cameras. People with their own card-readers-in-PC who could be infected otherwise won't be taking their triscuits to work.
If there is a concern about users copying sensitive data, then explain to me what measures are in place to prevent E-mailing, floppy, or CD/DVD-ROM transmission. Is there software which says "no you can't do that to those media but flash is no problem"???
This is skewed-for-gain propaganda pure and simple. Sandisk will soon release what they call a solution and the story will have served its purpose.
Security IS a top priority at most companies
Security awareness has gotten a big boost with the advent of SOX and the fact that every publicly traded company has to be SOX compliant.I've seen this at my old company first hand.
The independent auditors, the increased security requirements, the never ending lists of required security setting changes.
I honestly can't see any publicly traded company not take security seriously these days.
While some of the things the SOX compliance asks for do not make sense and sometimes are not possible the act does send the right message. The new message for businesses is that security is important.
The only people that don't have to deal with this are privately held companies.
banana ucb sticks
most people use usb sticks because:* they want to TRANSFER huge files FAST, but their CIO has not heard of gigabit ethernet [I'm not even attempting to suggest fiber to the desktop..]
* they want to SHARE huge files, but on company's file server there are just 34 MB free...
* they want to sleep well the night, knowing that their 10-month-long work is SAFE without having to rely on the backup incompetence of their IT dept
it's things like backgrounds & upbringing
Also a way of transmitting things like trojans - leave a pen drive in the right place and maybe someone'll plug it in, and there you go, you're in.In terms of what folks are saying about security in some places - it's a hygiene thing. Places where people don't care in general about their own and others lives, etc, aren't likely to be that bothered about protecting any aspect of it. Many of that kind of person actually want disasters to occur - it gives them time off, something to talk about, gives them the feeling something exciting took place.
Idiots.
There's another type though, who just don't trust that security vendors etc aren't just going to compromise them all the more. Which is fair enough; they too could install things and not be aware they are spying tools.
I think in the end, it just depends what area of the world you are born into & therefore have work access to - some types of folks wouldn't dream of giving themselves a hard time, which is why they all tend to be richer and live in nicer places to begin with.
Management have no time for Security
Working at one of the top company other than Intel that made those dreaded TPM modules, it is unbelievable how much our top management couldn't care less about security.It is not just thumb drives, but entire portable hard disk drive filled to the brim with business plans, financial information and other NDA covered data left on office desk in plain sight over long weekends.
It is ironic, but those who have the most valuable data who tends to handle them with careless abandon. And to think that the Messiah (tm) is trusting us with the Salvation Phone...