Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2004 >  September 2004 >  USB 'menace' leaves employers exposed

USB 'menace' leaves employers exposed

OUT-LAW News, 29/09/2004

Most UK companies are taking no steps to stop their employees connecting insecure high-tech consumer devices into corporate networks, according to research published today by encryption and security firm BeCrypt.

Its Mobile Enterprise Security Study 2004, which looked at the workplace use of portable gadgets with a USB (Universal Serial Bus) connection – one of the main standards for connecting devices to computers – found that 85% of employers had no security policy in place that controlled the use of these devices.

The use of USB-connected devices such as memory keys, flash drives, music players such as the Apple iPod and smart mobile phones, is rising in the workplace. BeCrypt's survey of 180 employees found 63% admitting to connecting unchecked devices to corporate networks, with more than one third revealing that the devices were obtained from third parties as gifts, with no clearly identifiable source.

More than half of those surveyed had connected devices to computers at work in order to take data off site, introducing the risk of accidental or malicious use of external media to 'leak' private or classified data, said BeCrypt.

Nearly a quarter of respondents admitted having lost portable storage devices and more than half claimed ignorance over the impact that the misuse of portable storage devices could have on overall data security.

"Sloppy security practices and policy is making the rise of USB devices a real menace for British employers," said Peter Jaco, CEO of BeCrypt. "The problem is that USB device users are free to connect any device they wish and could remove key corporate data. Security policies need to lockdown USB device use, but also regulate and permit usage where devices are truly useful."

BeCrypt recommends that organisations extend their security strategy to cover the control of portable storage devices. This should include, says the firm:

  • A clearly defined process for educating employees about the policy.
  • A level of flexibility that takes into account the diverse needs of different users or machine groups, ranging from portable USB storage devices to high capacity removable storage devices such as FireWire drives (another standard for the connection between devices and computers).
  • Clear guidelines to employees looking to connect non-approved USB devices to the network with a timeframe governing how long it will take to get new devices authorised.
  • A clear procedure for reporting the theft or loss of a portable storage device and a record of data held on corporate devices.
  • A method of recording all manually registered USB devices that are being introduced to the enterprise within any centrally managed environment.

See also:

 

OUT-LAW Recommends

Free OUT-LAW seminars
- Making your contract work
- Information security
Six cities, October & November

This week's podcast
Are ISPs about to betray our trust?

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.