IT professionals are carrying unprotected sensitive information on USB sticks

22 June 2010

Data transported on any unencrypted mobile device – such as laptops, handheld devices, smartphones, USB drives, CD-DVDs and other devices, are the equivalent of ticking time bombs waiting to blow up in the organisation’s face – with mandatory audits, breach notifications, hefty fines and public humiliation likely to ensue.

A new survey of alleged security conscious professionals has remarkably revealed that over half of respondents (52%), who admit to carrying company data on a USB stick, do not encrypt it. Remarkably, 11% of this savvy audience, who really should know better, ‘protect’ their devices with passwords alone – an insufficient defence that is widely understood to be easily breached.

The study, sponsored by Credant Technologies, questioned 277 IT security professionals. Astonishingly, the type of unprotected data being carried would have serious repercussions to the organisation should it be misplaced – from intellectual property(67%), customer data (40%) and employee details (26%).

Worst of all there really isn’t any excuse - organisations can easily arm themselves utilising centrally-managed solutions that provide data-centered, policy-based protection across all endpoints, which simply won’t allow information to be transferred without first encrypting it – regardless of the device it’s being transferred to.

Sean Glynn, vice president and chief marketing officer of Credant Technologies said, “If over half of this IT savvy audience are carrying unprotected sensitive information on USB sticks, and lets face it you can pick one up for less than £10 in most good supermarkets, it makes me question just how big this problem is and, more importantly, what needs to happen to make organisations wake up to the risk. Credant won’t rest on its laurels and as long as there are new devices coming into the arena, and new threats to protect them against, we’ll continue to work with organisations’ to deliver flexible solutions that track and report on where sensitive data is moving, and provide the right blend of data encryption and protection technologies to mitigate these risks.”

As if evidence of the problem was needed, early this month (June 2) it was revealed that a USB stick containing personal information about children, that was neither encrypted nor password protected, had been lost by West Berkshire Council; it was also reported (June 4) that in March a staff member from Lampeter Medical Practice downloaded a database containing 8,000 patient details onto an unencrypted USB stick before posting it but it never arrived; the month previously (May 5) another USB stick, this time containing personal information on patients and staff at a secure hospital near Falkirk, was reportedly found lying defenceless in an Asda store car park.

The UK is not the only country struggling with insecure mobile devices as, also last month (May 14), The Department of Veterans Affairs in the US suffered another possible breach of private data as it reported that a thief had stolen an unencrypted laptop that held the social security numbers and other information of 616 veterans.

The study also found that 11% of the sample had experienced a breach recently, a figure that Credant hopes one day to be 0% – but Sean’s not holding his breath.