80% of companies failing to protect against removable media devices
Removable media devices now present the biggest threat to corporate security, according to research conducted at this year’s InfoSecurity Europe conference in London last week. However, the research conducted by Centennial Software found that four out of five companies do not have effective measures in place to protect against the threat these devices can pose.
Over 43 per cent of those questioned have no controls whatsoever in place to manage removable media devices, 27.4 per cent leave it to the manager’s discretion, and 8.6 per cent have taken the drastic step of introducing a company-wide ban. Only 16.4 per cent use endpoint security software to manage the potential risks effectively. This is despite a raft of recent media stories surrounding insider data theft using removable media.
But companies are not ignorant of the risk. In a significant development for Centennial’s annual “Security Attitudes Survey”, 2007 saw removable media devices rated by 38.4 per cent of respondents as the number security issue facing their organization. The risk has taken over from Web viruses (23.7 per cent) and malware / spyware (22.3 per cent) for the first time.
While more companies in 2007 said they do include removable devices in the acceptable use policies (63.4 percent versus 54.5 percent last year), with more USB sticks than ever in use on the network (65.6 percent regularly use USB sticks, up from 36.3 percent last year) it’s not enough to rely on a policy, according to Centennial.
“It’s long been recognized that human error leads to the majority of information security problems,” said Matt Fisher, vice-president at Centennial. “Leaving the use of removable devices at the discretion of staff exacerbates the risks posed by these devices – especially when a minority of employees may have reasons for wanting to steal or compromise data.”
He continued: “A larger proportion of companies than last year said they had no controls for managing removable devices in place – 43.3 per cent versus 38.5 per cent last year. This is an alarming trend; if organizations recognize the risks of data loss, theft and damage from USB sticks, smartphones and MP3 players, they need to take action to manage the threat and protect
their data.”
The third annual “Security Attitudes Survey” was conducted over the three days of Infosecurity Europe and was completed by more than 370 mid and senior level IT managers.