The Security Threat You Probably Haven’t Considered: USB Storage Devices
Most companies understandably spend a great deal of time, effort and money locking down their computer systems and data centers against major threats like DDoS attacks, poor encryption at the local or cloud level, and unpatched software and applications.
But one of the biggest threats to data security comes from a problem you’d be unlikely to suspect: old-school USB storage devices.
The Role of USB Storage in 2016
As miraculous as thumb drives and other USB devices might have seemed just a few years ago, the rapid growth of cloud computing and storage is apparently destined to make USB drives just one more footnote in the history of computers and networks.
Those storage devices aren’t history just yet, though. A new survey by the European security company CoSoSys, conducted at a recent conference of security professionals, finds that three-quarters of all participating companies and organizations still allow workers to attach USB drives to their computers. And two-thirds of those companies allow employees to transfer company data on USB sticks, thumb drives and similar storage devices.
What’s even more startling is that despite the advances which have been made in USB encryption, only about one-third of responding companies require the use of encrypted devices when USB technology is used to transfer data. Unencrypted data transfer is a hidden risk which most IT security professionals thought they had eliminated – but it’s very much an issue today.
Honey, Have You Seen My Keys?
There’s another important but largely unconsidered vulnerability connected to the widespread use of portable USB storage devices in companies and organization: lost drives. Thumb drives and sticks are certainly convenient, and continuing improvements in technology have given them larger capacity and faster operating speeds than ever. But they’re also easy to misplace – and the majority of those surveyed by CoSoSys say that at some point they’ve lost a USB drive themselves, or know someone who has. Needless to say, the loss of a drive with sensitive, unencrypted data can be a disaster for any company or organization.
What happens when an employee loses a USB stick or thumb drive? The research found that the first reaction is exactly what you’d expect: panic. But once the panic subsides, only 55 percent told their manager or their company’s IT department about the problem, despite the fact that most organizations have clear policies about reporting the loss of data. Nearly 20 percent decided to keep the lost drive a secret, while the rest either did nothing or called their own personal lawyers for advice.
It’s scary to extrapolate the numbers. If nearly half of all employees worldwide have lost at least one drive containing company data, and two-thirds of that data is unencrypted – that’s a security risk that would seem to dwarf the potential damage or theft that could be done by DDoS attackers, industry hackers and disgruntled employees combined.
It may take quite some time for security-conscious firms to completely eliminate the use of portable USB data devices. In the meantime, though, there are device control solutions which allow companies to monitor and control their usage (CoSoSys is one firm which produces them), and every organization should require USB data encryption immediately. The risk of inaction is far too great to ignore.