We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,145 News Articles

USB sticks still being used insecurely, Ponemon study finds

Not enough encrypted drives despite numerous data breaches

USB sticks remain a big security weakness for many UK organisations with many employees using drives for data transport without permission and not bothering to report their loss, a Ponemon Institute study has found.

The study polled 451 IT staff in the UK from a global total of 2,942 on behalf of Kingston Technology, finding that 73 percent had experienced staff use of USB drives without authorisation, with 72 percent mentioning loss without notification in the last two years.

Only half of UK organisations employed some form of security policy or technology to these devices, and awareness of the risk posed by them was to be low in Britain compared to security-aware countries such as Germany.

Organisations were reluctant to enforce the use of secure drives, with 55 percent of workers using generic drives bought by themselves or picked up at conferences or trade shows.

"If you lose a laptop you can't do your work; if you lose a USB stick nobody will ever know about it," said Larry Ponemon of the Ponemon Institute. "To many people a USB stick is just a ubiquitous device."

In the last three years, cases publicised by Britain's Information Commissioner's Office (ICO) show that lost USB drives - very few of which ever employ encryption despite containing sensitive data - have become a major bane of the public sector.

Despite only scratching the surface of the problem, according to Ponemon, public 'naming and shaming' has been a major spur to change.

"Notification has been shown to be very effective in achieving a higher level of compliance," said Ponemon. "When it is made a reputation issue, organisations tend to pay attention to it."

Data isn't the only risk, with only 29 percent of those asked saying that their companies had systems in place to detect the malware that might creep into organisations via USB sticks.

Kingston recommends that organisations provide all employees handling sensitive data with encrypted drives, create policies for acceptable use, and employ asset tracking and recovery to manage their deployment.

An infographic summarising the UK findings can be found here.


IDG UK Sites

OnePlus Two release date rumours: Something's happening on 22 July

IDG UK Sites

13in MacBook Air review, Apple's MacBook Air 2014 reviewed

IDG UK Sites

5 reasons to buy an electric car and 5 reasons not to

IDG UK Sites

Evernote Skitch: the best way for creatives to doodle feedback