Survey Highlights UK Companies' Na?ve Approach to Risks Posed by USB Sticks, iPods and PDAs

65% of companies needlessly put themselves at risk because they underestimate the threat posed to their network's security by USB sticks, flash drives, iPods and PDAs, research conducted among 370 UK companies shows.

The results of the survey, conducted by an independent media company, were announced today at InfoSecurity 2007 by GFI Software, an international developer of network security, content security and messaging software.

Although 49% of UK companies surveyed are concerned about data theft, 65% do not consider the use of these devices on their network to be a security threat. On the contrary, 71% are of the opinion that the use of portable storage devices is important or very important to the company's operations.

Nearly half of the respondents said they had no clue how many employees were actually using USB sticks or iPods at the office, and while 37% said it was their company's policy to monitor portable storage devices, only 22% had some form of hardware or software installed to control their usage on the network.

Security companies have long been warning about the dangers of endpoint devices but recent breaches show that businesses have not learnt the lesson and they are increasingly putting themselves at risk by giving out such devices to employees and encouraging their use.

According to GFI's research, 83 per cent of UK companies surveyed admit giving their employees USB sticks or PDAs, and that portable storage devices enabled mobile working (76%) and data sharing was made easier (61%).

Portable storage devices are a major threat if companies have no record of what files are being transferred from the network to the device and vice-versa. With only 29% actually logging what data is transferred to and from the network, companies are taking a very na?ve approach to this security threat. This was confirmed last February when IT consultancy NCC sent finance directors from 500 listed firms USB sticks forming part of an anonymous invitation saying 'For Your Chance to Attend the Party of a Lifetime'. According to NCC nearly half of the finance directors and two-thirds of media companies inserted the unidentified memory stick into their computers. Although this was a harmless incident, it proves the point that it only takes one USB stick to upload a virus to a system and only one 4GB USB stick to copy all the company's most sensitive commercial data.

While 99% of UK companies said they had anti-virus, anti-spam and firewalls installed, 78 per cent did nothing to control the use of portable storage devices and only nine per cent said they had other security measures or products in place.

Last February, the Nationwide Building Society was fined ?980,000 by the Financial Services Authority after details of nearly 11 million customers had been put at risk by an employee who downloaded the data from the company's network. The FSA said the bank's failure to manage or monitor downloads of very large amounts of data onto portable storage devices meant that Nationwide had limited control over information held in this way or how it was used.

In many cases, security breaches go unnoticed or administrators are unaware of them. GFI's research shows that 28% have no idea if they experienced internal security breaches/data theft because of the uncontrolled use of portable devices.

While a few in-house counter-measures that corporations can adopt to prevent unauthorized portable device use exist, they are not the perfect solution. Banning portable storage devices on the corporate premises, the physical blocking of computer access ports, or using Windows Group Policies are common practices, yet they also restrict those who depend on these devices to work, as GFI's research shows.

What administrators must also realize is that managing risk is always more cost effective than having to react to breaches or incidents. In an ever-growing networked environment where risk is becoming a major concern, administrators have to be ahead of threats and not passively reacting to incidents. Apart from immediate financial repercussions such as business loss, there is the enduring stain of embarrassment and loss of credibility. For a company that prides itself with protecting its customers' data, a single breach could have irreversible repercussions.

And this is a fact that the majority of the UK companies surveyed by GFI appear to ignore so easily.

write your comments about the article :: 2007 Computing News :: home page