As threats to corporate data grow, and the cost of breaches increase, a survey of alleged security conscious professionals has remarkably revealed that over half of respondents (52%), who admit to carrying company data on a USB stick, do not encrypt it. Remarkably, 11% of this savvy audience, who really should know better, protect their devices with passwords alone an insufficient defence that is widely understood to be easily breached!
The study, sponsored by Credant Technologies the endpoint data protection solutions provider, questioned 277 IT security professionals who, theoretically, view security seriously enough to spend time attending InfoSecurity Europe. Astonishingly, the type of unprotected data being carried would have serious repercussions to the organisation should it be misplaced from intellectual property(67%), customer data (40%) and employee details (26%).
Data transported on any unencrypted mobile device such as laptops, handheld devices, smartphones, USB drives, CD-DVDs and other devices, are the equivalent of ticking time bombs waiting to blow up in the organisations face with mandatory audits, breach notifications, hefty fines and public humiliation likely to ensue. Worst of all there really isnt any excuse - organisations can easily arm themselves utilising centrally-managed solutions that provide data-centered, policy-based protection across all endpoints, which simply wont allow information to be transferred without first encrypting it regardless of the device its being transferred to.
Sean Glynn, vice president and chief marketing officer of Credant Technologies said, If over half of this IT savvy audience are carrying unprotected sensitive information on USB sticks, and lets face it you can pick one up for less than 10 in most good supermarkets, it makes me question just how big this problem is and, more importantly, what needs to happen to make organisations wake up to the risk. Credant wont rest on its laurels and as long as there are new devices coming into the arena, and new threats to protect them against, well continue to work with organisations to deliver flexible solutions that track and report on where sensitive data is moving, and provide the right blend of data encryption and protection technologies to mitigate these risks.
As if evidence of the problem was needed, early this month (June 2) it was revealed that a USB stick containing personal information about children, that was neither encrypted nor password protected, had been lost by West Berkshire Council; it was also reported (June 4) that in March a staff member from Lampeter Medical Practice downloaded a database containing 8,000 patient details onto an unencrypted USB stick before posting it but it never arrived; the month previously (May 5) another USB stick, this time containing personal information on patients and staff at a secure hospital near Falkirk, was reportedly found lying defenceless in an Asda store car park. The UK is not the only country struggling with insecure mobile devices as, also last month (May 14), The Department of Veterans Affairs in the US suffered another possible breach of private data as it reported that a thief had stolen an unencrypted laptop that held the social security numbers and other information of 616 veterans.
The study also found that 11% of the sample had experienced a breach recently, a figure that Credant hopes one day to be 0% but Seans not holding his breath.