As threats to corporate data grow, and the cost of breaches increase, a survey of alleged security conscious professionals has remarkably revealed that over half of respondents (52%), who admit to carrying company data on a USB stick, do not encrypt it. Remarkably, 11% of this savvy audience, who really should know better, ‘protect’ their devices with passwords alone, an insufficient defence that is widely understood to be easily breached.
The study, sponsored by Credant Technologies, provider of endpoint data protection solutions, questioned 277 IT security professionals who, theoretically, view security seriously enough to spend time attending InfoSecurity Europe. The type of unprotected data being carried would have serious repercussions to the organisation should it be misplaced, from intellectual property(67%), customer data (40%) and employee details (26%).
Data transported on any unencrypted mobile device, such as laptops, handheld devices, smartphones, USB drives, CD-DVDs and other devices, are the equivalent of ticking time bombs waiting to blow up in the organisation’s face, with mandatory audits, breach notifications, hefty fines and public humiliation likely to ensue.
Worst of all there really isn’t any excuse; organisations can easily arm themselves utilising centrally managed solutions that provide data-centered, policy-based protection across all endpoints, which simply won’t allow information to be transferred without first encrypting it, regardless of the device it’s being transferred to.
Sean Glynn, vice president and chief marketing officer of Credant Technologies said: “If over half of this IT savvy audience are carrying unprotected sensitive information on USB sticks, and lets face it you can pick one up for less than £10 in most good supermarkets, it makes me question just how big this problem is and, more importantly, what needs to happen to make organisations wake up to the risk.
“Credant won’t rest on its laurels and as long as there are new devices coming into the arena, and new threats to protect them against, we’ll continue to work with organisations’ to deliver flexible solutions that track and report on where sensitive data is moving, and provide the right blend of data encryption and protection technologies to mitigate these risks.”
As if evidence of the problem was needed, on 2 June it was revealed that a USB stick containing personal information about children, that was neither encrypted nor password protected, had been lost by West Berkshire Council; it was also reported on 4 June that in March a staff member from Lampeter Medical Practice downloaded a database containing 8,000 patient details onto an unencrypted USB stick before posting it but it never arrived; on 5 May another USB stick, this time containing personal information on patients and staff at a secure hospital near Falkirk, was reportedly found lying defenceless in an Asda store car park.
The UK is not the only country struggling with insecure mobile devices as on 14 May, The Department of Veterans Affairs in the US suffered another possible breach of private data as it reported that a thief had stolen an unencrypted laptop that held the social security numbers and other information of 616 veterans.
The study also found that 11% of the sample had experienced a breach recently, a figure that Credant hopes one day to be 0%.