In addition, malware-infected USB drives likely caused theft of confidential information in 55% of respondents. The Ponemon Institute surveyed 743 IT and IT security practitioners.
More than 40% of organizations surveyed report having more than 50,000 USB drives in use in their organizations, with nearly 20% having more than 100,000 drives in circulation. The majority of those organizations (67%) confirmed that they had multiple loss events – in some cases, more than 10 separate events.
On average, organizations believe that they have lost 12,000 records with sensitive information as a result of insecure use of USB drives, noted John Terpening, secure USB business manager at Kingston Digital. Kingston offers secure USB drives that encrypt data in case the drive is lost.
“The USB tends to be overlooked in terms of security in the enterprise and government”, Terpening told Infosecurity.
The study found that a head-shaking 71% of respondents did not consider the protection of confidential and sensitive information on USB drives to be a high priority.
“The awareness still isn’t there…You still have part of the enterprises that ignores the USB port”, Terpening said.
Free USB sticks from conferences, trade shows, business meetings and similar events are used by 72% of employees – even in organizations that mandate the use of secure USBs, the survey found.
In fact, the Department of Homeland Security recently conducted a test during which they dropped computer discs and USB drives in the parking lots of government buildings and private contractors. Without any identifying markings on the USB stick, 60% of employees who picked up the devices plugged the drives into office computers. With an “official” government seal, the plug-in rate reached 90%.
Less than a third of organizations believe they have adequate policies to prevent USB misuse – and a majority are not enforced, the survey found.
“What doesn’t work is banning the use of USB drives. The reason employees are using these devices is because they are productivity boosters”, Terpening stressed. “The policy has to start at the enterprise or government level with education of employees, educate them to the dangers” of insecure handling of USB drives, he added.