IT teams underestimate threat from USB drives

10 Apr 2008

Over three quarters of American workers bring memory sticks into their workplace for work-related purposes, posing a security risk far greater than that diagnosed by IT managers who think just 35pc do this.

A survey by USB flash drive maker SanDisk found that 77pc of US workers have brought personal flash drives into their organisation for work-related purposes. When corporate IT respondents were asked to estimate what percentage of the workforce uses personal flash drives, they said put the figure at a low 35pc.

That’s a lot of unsecured flash drives doing the rounds in US companies, said SanDisk, which cautioned against the danger of data loss this posed.

“Most CIOs are aware that data leaks can result in identity theft, compromise of IP and loss of trade secrets, as well as significant PR and financial damage to organisations,” commented Gil Mildworth, senior director of marketing for SanDisk’s enterprise division. “Our survey demonstrates that, while there is some awareness of potential risks involved with unsecured USB flash drives, corporate IT execs need more effective policies, education and technology solutions in order to mitigate against the risks.

“Only a top-down effort involving intelligent device management, data monitoring and centralised policy enforcement will sufficiently reduce risks, while allowing organisations to reap the productivity benefits of enhanced mobility.”

The survey revealed that data files most likely to be copied to a personal flash drives include customer records (25pc), financial information (17pc), business plans (15pc), employee records (13pc), marketing plans (13pc), IP (6pc) and source code (6pc).

Some 12pc of workers said they had found a flash drive in a public place. When respondents were asked to pick the three most likely actions they would take if they found a flash drive in a public place, over half (55pc) said they would view the data.

The survey found that 44pc of IT personnel who responded believed their companies did not have policies forbidding copying corporate data onto USB drives.

By Niall Byrne