17 April 2008
Corporate IT departments are underestimating the security risks posed by staff using personal USB flash drives on the network.
A survey conducted by SanDisk found that nearly 80 per cent of employees had used personal USB flash drives for work-related purposes — more than double the 35 per cent estimate provided by corporate IT departments.
In a sign of lax security awareness surrounding USB flash devices, the survey reported that 55 per cent of people would view the data on a flash drive they had found in a public place and revealed 12 per cent had found a drive in such circumstances.
Respondents said the data files most likely to be copied to a personal flash drives were customer records (25 per cent), financial information (17 per cent), business plans (15 per cent), employee records (13 per cent), marketing plans (13 per cent), intellectual property and source code (both six per cent).
The findings were published a week after HP Australia admitted that a number of USB sticks shipped with some of its Proliant servers were infected by malware.
Opportunities exist for resellers and security specialists to increase awareness of the risks posed by USB flash drives to their customers, with many companies admitting they provided only limited training to staff on their policies for USB flash drive usage. A third of IT executives provided training once a year and a quarter trained staff more than once a year, but more than a fifth only provided training when employees started at the company, 17 per cent did so on an as needed basis and three per cent never trained employees.
According to Dror Todress, head of marketing at SanDisk’s enterprise division, the disparity between the incidence of use of unsecured USB flash devices and the perception of IT managers was a cause for concern and the type of data they were transporting was also surprising.
Gil Mildworth, senior director of marketing at the division, echoed Todress’ view, stating that the study showed IT executives needed "more effective policies, education, and technology solutions in order to mitigate the risks".
Among other findings, the survey revealed nearly a quarter of staff were not familiar with their organisation’s policies regarding flash drive usage, or were aware they existed but were not familiar with specific details. Nearly half claimed the organisation did not have a policy outlawing the copying of corporate data on personal flash drives, but 40 per cent said their company did ban the practice.
