USB Encryption and Security Falls Well Short

infosecuritylogo.png

WEDNESDAY, DECEMBER 13, 2017 | INFOSECURITY MAGAZINE, TARA SEALS

A full 87% of employees surveyed have lost a USB drive and failed to notify their company.

A recent survey from Apricorn of more than 400 IT professionals from industries including education, finance, government, healthcare, legal, manufacturing, retail and manufacturing, reveals that most employees use USB drives, but that companies are leaving themselves open to data breaches and leaks by not effectively monitoring these devices and the data that gets written to them.

“With the ever-increasing amount of data breaches and compromises, companies need to carefully monitor what data is being created in their organizations and what is leaving,” the company said in its report, noting that there seems to be awareness that there is confidential information across most industries that if exposed can result in severe brand reputation damage, lost revenue, legal fees, reparation and punitive damage costs and non-compliance fines. In fact, nearly 80% of survey respondents say protection of confidential information stored on USB drives is a high priority.

However, eight out of 10 employees use non-encrypted USB drives such as those received free at conferences, tradeshow events or business meetings, which could be easily lost or stolen and fall into the wrong hands, or introduce malware into a company’s host system.

Most companies agree that the use of USB drives improves IT operations efficiency and boosts productivity. In terms of the percentages of industry verticals that agree, it breaks down to 77% of education employees; 77% of government employees; 66% of healthcare employees; and 50% of financial employees.

However, the survey revealed that 50% are not required to seek permission for external USB drive usage, which leaves organizations vulnerable. Unfortunately, employees that fall in the 50% of companies that need to seek permission, don’t, which leaves them exposed and unprotected.

Some companies are taking steps to address USB security: About 58% say their companies have adequate governance and policies to manage the use of USB drives in the workplace (and 61% of companies have a policy in place detailing acceptable USB device usage); and 54% of companies surveyed have appropriate technologies to prevent or detect the downloading of confidential data onto USB drives. Half have a policy requiring reporting of lost or stolen USB devices, and about half (49%) provide their employees with approved USB devices.

More, however, needs to be done. “Government, healthcare, finance and education industries have access to copious amounts of sensitive information and most of these industries are using USBs without advanced permission,” Apricorn said. “Not only are these companies leaving themselves vulnerable, they are placing their customers’ and employees’ data at risk.”