“Free” Memory Sticks can be Expensive

banking-exchange-logo.png

THURSDAY, DECEMBER 14, 2017 | BANKING EXCHANGE, STEVE COCHEO

Not everything Scott Adams puts in the Dilbert comic strip is funny. In the Dec. 4 strip, the Pointy-Haired Boss tells Dilbert that he has just found a memory stick on the sidewalk. “It’s like free money!” the boss declares. “Can free money infect our network too?” says IT expert Dilbert. The boss tells Dilbert he worries too much. “If you need me,” answers the title character, “I’ll be selling all of my company stock.” Ouch.

Now, bankers rank smart enough that they wouldn’t insert a found thumb drive into their company laptop. But how often, when you’re cruising the aisles at an industry trade show, do you scoop up, with the free pens, can coolers, and packets of logo-bearing mints, a handful of free memory sticks? And what do you do with them when you get back to work?

Ubiquitous and often not policed

Consider these figures from a poll Apricorn conducted among over 400 IT professionals in finance, government, education, and other fields:

• 9 out of 10 say employees use USB devices today, including USB drives.

• 8 out of 10 say that employees use non-encrypted USB devices, such as the freebies obtained at conferences.

• And 9 out of 10 say encrypted USB devices should be required.

• Only 6 out of 10 firms have a policy in place governing what USB devices are acceptable. Yet only about half of the sample says that their company provides approved USB devices to employees.

Apricorn, manufacturer of encrypted drives, points out in its report that USB drives represent a two-way risk. First, sticking a drive from an unknown supplier—especially one containing files, such as vendor literature—into an employer’s machine may import malware into the company system. Second, when an employee uses a stick to move data, such as taking files home, the employer loses control over company and customer information.

Unencrypted data can be stolen—it just takes losing the stick—and a bad actor may be making off with confidential, proprietary information. The survey found that 87% of the employees surveyed have lost a USB memory device and not told their employer. Only half of the sample said that their companies explicitly require reporting a lost or stolen device. The percentage was higher among financial firms (63%).

Policies not always enforced Seven out of ten executives polled say that being able to offload data onto a stick increases productivity. However, the survey found some troubling trends:

• 48% of companies require employees to ask permission to use external USB devices—yet only a small portion (15%) actually do seek permission to do so.

• 46% of companies don’t require employees to seek permission.

• Of four key industries, 63% of financial firms have employees not seeking permission to use USB devices—compared to 98% in education; 87% among government entities; and 83% in the healthcare business.

Apricorn’s survey found that some companies use security practices. What’s troubling is the portion of respondents that aren’t using them. They include PINs and passwords (84% do); scanning USB devices for malware (82%); data encryption on device (42%); two-factor authentication (32%); and monitoring and tracking USB usage (29%).