Two-thirds of IT professionals who answered a survey on mobile security use non-encrypted removable media at work, despite being aware of the associated dangers.
The survey, conducted by mobile security vendor Pointsec, revealed that 56% of employees downloaded corporate information on to their memory sticks, up from 31% last year. While 65% of those surveyed were aware of the potential danger that removable media presents, 66% admitted to neglecting a revision of their current security policies (with regard to removable devices). Only 21% secured them with passwords and encryption, and just 12% of organisations banned them completely.
Four percent of the participants felt the best way to avoid loss or theft of information was to keep it in their pockets, even if it meant sleeping with the USB stick around their necks.
The most popular use of the memory sticks was the storage of corporate data, such as contracts, proposals and other business documents. Customer names and addresses were stored by 22% of the users, with others using them to store presentations, budgets and other documents. One respondent used his memory stick to store his hacking tools while 3% found them useful to store passwords and bank account details. Seventy percent used them for downloading music files, Pointsec says.
The survey, of 248 IT professionals who attended the Infosecurity Europe 2006 conference, held in London last month, highlights that with removable media devices plummeting in price, soaring memory capacities and more people using them at work, organisations need to be educated about using them securely.
Martin Allen, managing director of Pointsec UK, says, “Our advice is to introduce strict guidelines on the use of removable media devices in the workplace, and to invest in encryption software which will allow administrators to force the encryption of all data put onto a mobile device.”
Pointsec acknowledges that it could be difficult to prevent people from bringing in removable media devices into the office. However, the company says if organisations don’t want to risk losing valuable data, they should could consider the following security precautions:
• Deploy user mobile guidelines or ensure that corporate IT security policies include directives that state the importance of proper handling of mobile devices such as removable media.
• Ensure that all members of staff are aware that their employer does not allow non-company devices to be used within the company network.
• Use encryption software which enables centralised policy enforcement of strong encryption of all data stored at mobile devices and removable media.
• Use policies to control the number of login attempts that people may use to try and get at information they shouldn’t.
• Have methods in place which enable encrypted data to be decrypted in a controlled way outside the corporate network.
• Have methods (independent of the end user) which enable decryption of all encrypted data within the company network.