Data Security Survey Results #1: Do as I say, not as I do.

Posted by Apricorn on Oct 28th 2019

9 out of 10 IT Security professionals surveyed use USB storage devices on a daily basis.

And 90% of this same group went on to say that there should be encryption requirements on USB storage devices as part of their corporate security policy.

So it only stands to reason that 80% of these IT security professionals continue to use non-encrypted USB storage devices in their daily work routines.

Wait. What?

This reminds me of the National Seatbelt Laws this country has passed over the years. Ten years after Swedish car maker, Saab, introduced seatbelts as standard equipment in 1958, the U.S. Congress passed a law requiring seatbelts to become standard equipment on all passenger vehicles manufactured and sold in the United States. And the country agreed, at least in theory, that this law was a good idea because anyone with a lick of sense knows that we really should wear seatbelts in moving vehicles. But less than 20% of the population actually wore seatbelts at the time, even five years after that law was passed. In fact, it took another 30 years for seatbelt use to finally catch on, which, coincidentally, was about the time that mandatory seatbelt use laws went into effect in all 50 states with hefty fines for violators. Today, national seatbelt use sits at around 90% compliance. —Click-it or ticket!

In that same vein of thinking, If 90% of our surveyed IT professionals use USB storage devices, and 90% of that group say that all USB storage devices should have an encryption requirement (by way of their own corporate security policy), then why do only 20% of this group actually use encrypted external drives?

Does it mean that while these IT pros know they should use only encrypted USB storage, they won’t actually do so until a security policy forces them to? And like seatbelt laws, when such a policy rule is implemented, to what extent will it be followed and how does it get enforced? Maybe employers could start writing tickets to their encryption policy offenders (or pink slips). Short of a big data theft or loss report, how will an employer even know if their employees are doing as they should?

This disconnect between what employees know to be right and what employees actually do is a huge problem for companies everywhere, both large and small. Year over year, take a look at the stats for annual data breach reports and you’ll find that the more than half of reported breach incidents come from within the breached organization itself, either by human error or system failure. And that doesn’t even touch on insiders with malicious intent! Most disturbing, among the breaches involving lost or stolen hard drives or computers, only 4% of those reported are “secure breaches” where the devices in question were encrypted and the data wasn’t at risk.

So when we address this enormous internal vulnerability by adding a storage media encryption requirements to our security policies, that’s the easy part: stating what we all ought to do. The real trick, DOING what we ought to do, can only be truly accomplished by preventing employee noncompliance. Whether it be from malice, laziness, risky behavior, or plain old human error, removing the ability to disobey policy is the only sure way to guarantee policy compliance. And it doesn’t take draconian measures like banning USB device usage to eliminate losing sensitive data from within; USB device data storage, when encrypted, is a great way to carry and store sensitive data outside of the firewall while keeping it secure. Banning the use of portable USB storage devices would be taking a very important and widely used tool away from an ever-expanding mobile workforce.

Encrypted USB storage devices, used with whitelisting software such as SecRMM from Squadra is a great way to prevent any and all non-compliant drives to be introduced into the system and whitelisting can be sharpened even further by allowing only certain drive product IDs. In addition to removable storage, whitelisting protection can also be applied to the actual files themselves, dictating whether they can be copied at all, and if so, by whom.

It stands to reason that if we can get that third stat in the headline copy down to zero, we would put a serious dent in that internally originating breach number too.