The use of
USB
-connected devices such as memory
keys and flash drives is rising in the workplace, and companies
need to be aware of how easy it is for staff to use them, lose them
or take competitive information away on them, says Pointsec.
An employee's iPod could be used to download large volumes of
sensitive data from the corporate network or to introduce viruses,
worms or other malware when transferring data from a home
PC
to a work
PC
.
The company also warns that if the devices are lost or stolen,
vast amounts of valuable company information could seriously expose
a company to extortion, digital identity fraud, or damage to its
reputation.
Pointsec’s survey of 300
UK
IT
professionals found that on average 31% of employees within a
company are using the devices in the office, while in a third of
companies, removable media is being used without authorisation.
Two-thirds of
IT
professionals who used the devices
at work admitted that they did not protect them with encryption
even though they were aware of the associated dangers. In fact, 90%
of those surveyed were aware of the potential danger presented by
removable media, but 41% did not know how easy it is to protect the
data contained on the devices.
“There seems little point in companies spending vast sums of
money on information security if at the same time they’re letting
their staff use these devices at work which allow them unhindered
access to download vast quantities of sensitive company
information,” said Martin Allen, Managing Director of Pointsec
UK
.
“Organisations need to introduce strict guidelines on the use of
removable media devices in the workplace, as well as investing in
encryption software which will allow administrators to force the
encryption of all data put onto a mobile device,” he continued.
“Using this type of software is just as vital and inexpensive as
using anti-virus software, yet only a fraction of organisations
have woken up to the problem.”
Pointsec recommends that companies:
- Deploy user mobile guidelines or ensure that your corporate
IT
security policy includes corporate directives that
states the importance of proper handling of mobile devices such as
removable media.
- Ensure that all members of staff are aware that their
employment does not allow non-company devices to be used within the
company network.
- Use encryption software which enables centralised policy
enforcement of all data stored on mobile devices and removable
media.
- Have methods in place that enable encrypted data to be
decrypted in a controlled way outside the corporate network.
- Use policies to control the amount of login attempts that
people may use to try and get at information they are not
authorised to see.
- Have methods (independent of the end user) that enable
decryption of all encrypted data within the company network.
