USB sticks still being used insecurely, Ponemon study finds

Not enough encrypted drives despite numerous data breaches

USB sticks remain a big security weakness for many UK organisations with many employees using drives for data transport without permission and not bothering to report their loss, a Ponemon Institute study has found.

The study polled 451 IT staff in the UK from a global total of 2,942 on behalf of Kingston Technology, finding that 73 percent had experienced staff use of USB drives without authorisation, with 72 percent mentioning loss without notification in the last two years.

Only half of UK organisations employed some form of security policy or technology to these devices, and awareness of the risk posed by them was to be low in Britain compared to security-aware countries such as Germany.

Organisations were reluctant to enforce the use of secure drives, with 55 percent of workers using generic drives bought by themselves or picked up at conferences or trade shows.

"If you lose a laptop you can't do your work; if you lose a USB stick nobody will ever know about it," said Larry Ponemon of the Ponemon Institute. "To many people a USB stick is just a ubiquitous device."

In the last three years, cases publicised by Britain's Information Commissioner's Office (ICO) show that lost USB drives - very few of which ever employ encryption despite containing sensitive data - have become a major bane of the public sector.

Despite only scratching the surface of the problem, according to Ponemon, public 'naming and shaming' has been a major spur to change.

"Notification has been shown to be very effective in achieving a higher level of compliance," said Ponemon. "When it is made a reputation issue, organisations tend to pay attention to it."

Data isn't the only risk, with only 29 percent of those asked saying that their companies had systems in place to detect the malware that might creep into organisations via USB sticks.

Kingston recommends that organisations provide all employees handling sensitive data with encrypted drives, create policies for acceptable use, and employ asset tracking and recovery to manage their deployment.

An infographic summarising the UK findings can be found here.

Join the CSO newsletter!

Error: Please check your email address.

Tags storagesecurityPonemon InstituteKingston TechnologyInformation Commissioner's Office

More about ICOKingstonKingston TechnologyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place