Two-thirds of IT professionals use non-encrypted removable media at work in spite of being aware of the associated dangers.
The survey, conducted by mobile security company Pointsec, revealed that 56 percent of employees downloaded corporate information on to their memory sticks, up from 31 percent last year. While 65 percent of those surveyed were aware of the potential danger that removable media presents, 66 percent admitted to neglecting a revision of their current security policies (with regard to removable devices). Only 21 percent secured them with passwords and encryption, and just 12 percent of organisations banned them completely from the workplace.
Interestingly, 4 percent pf the participants felt the best way to avoid loss or theft of information from their device was to keep it in their pockets, even if it meant sleeping with the USB stick around their necks.
The most popular use of the memory sticks was the storage of corporate data such as contracts, proposals and other business documents. Customer names and addresses were stored by 22 percent of the users, with others using them to store presentations, budgets and other documents. One respondent used his memory stick to store his hacking tools while 3 percent found them useful to store passwords and bank account details. Seventy percent used them for downloading music files, reported Pointsec.
The survey, of 248 IT professionals who had attended the Infosecurity Europe 2006 conference in London last month, highlights that with removable media plummeting in price, soaring memory capacities and more people using them at work, companies need to be educated about using them securely.
Martin Allen, managing director of Pointsec UK said: "Our advice is to introduce strict guidelines on the use of removable media devices in the workplace, and invest in encryption software which will allow administrators to force the encryption of all data put onto a mobile device. Companies will soon realise that this type of software is just as vital and inexpensive as using anti-virus software."
Pointsec identified that it could be difficult to prevent people from bringing in removable media devices into the office. However, the company said that if they didnt want to risk losing valuable data, or breaking of legislation laws such as Sarbanes Oxley, Basel 2, and The Data Protection Act, companies could consider the following security precautions:
- Deploy user mobile guidelines or ensure that corporate IT security policies include directives that state the importance of proper handling of mobile devices such as removable media.
- Ensure that all members of staff are aware that their employer does not allow non-company devices to be used within the company network.
- Use encryption software such as Pointsec Media Encryption which enables centralised policy enforcement of strong encryption of all data stored at mobile devices and removable media.
- Use policies to control the amount of login attempts that people may use to try and get at information they shouldnt.
- Have methods in place which enable encrypted data to be decrypted in a controlled way outside the corporate network.
- The encryption process should be transparent and quick to the user, so that it does not interfere with their work or put any extra requirements on the user.
- Have methods (independent of the end user) which enable decryption of all encrypted data within the company network