[ISN] Thumb Drives Replace Malware As Top Security Concern, Study Finds

From: InfoSec News (alerts@private)
Date: Mon May 07 2007 - 22:19:39 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=199300021

By Sharon Gaudin
InformationWeek
May 7, 2007 02:48 PM

A worker calls up a sensitive investor list and downloads it on her 
thumb drive, slips it into her pocket, and walks out, smiling and waving 
to her boss and the security officer stationed at the front door.

This is just one of the scenarios that security professionals and IT 
managers are increasingly worried about. According to one recent study, 
IT managers said portable storage devices, such as thumb drives and MP3 
players, have surpassed even malware to become a top concern.

The study, which polled 370 IT professionals, showed that 38.4% of IT 
managers say portable storage devices are their top security concern. 
That's up from 25.7% in 2006.

"It is very easy to download information to them quickly," said Bill 
Piwonka, VP of product management for Centennial Software, which 
conducted the survey at this spring's InfoSec security conference in 
London. "If there isn't a defined acceptable use policy or controls to 
prevent the download and transfer of sensitive data, managers do not 
know if and how such data is leaving the building. Also, USB sticks are 
frequently lost. If sensitive data isn't encrypted on these devices, it 
would obviously be very easy to obtain."

To make matters worse, 80% of respondents admitted that their 
organizations don't currently have effective measures in place to combat 
the unauthorized use of portable devices. And 43.2% cited no control at 
all. Only 8.6% have a total ban on portable devices.

Piwonka said in an interview that that danger with portable storage 
devices lies in not knowing what files have been maliciously or even 
unintentionally downloaded to them, and how that data is being used. And 
if it has been lost, who has the information?

A worker easily could download corporate information -- sales figures, 
customer lists, marketing plans -- onto a small storage device, slip it 
into their bag or even a pocket, and just walk out the door with it. It 
makes stealing information much easier since it's not a matter of 
printing anything out or even walking out of the office with a laptop 
slung over a shoulder.

While IT managers fear what users might do with a portable storage 
device, they also really like them for themselves.

The study showed that 65% of IT managers use a USB flash drive on a 
daily basis.

"Portable devices do have a function in the workplace," said Piwonka. 
"They are an easy way to share, transfer, and store information. 
Managers need to create an acceptable use policy and share it with their 
employees to further control the handling of sensitive data."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon May 07 2007 - 22:30:26 PDT