The next time your boss complains when you suggest that picking up secure USB sticks because of the price, you might want to reference this report from Kingston which details several horror stories of what happens with a lax policy towards portable storage.  We have seen Stuxnet recently, as well there is a long list of tricks that can be played with USB devices with the U3 autorun present on many USB devices. 

This goes far beyond just a complaint about using USB sticks received for free at trade shows or picked up on discount from Costco, the report cites an instance where unmarked USB sticks were left in obvious spots in government parking lots and over half of them ended up being plugged into the wok PC of the person who found it.   Maybe now spending a little extra on secure USB sticks will seem a little more attractive to the beancounters.

Fountain Valley, CA — August 9, 2011 — Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., the independent world leader in memory products, today announced the results of a study conducted by the Ponemon Institute looking at USB prevalence and risk in organizations. The study found that inexpensive consumer USB Flash drives are ubiquitous in all manner of enterprise and government environments ― typically with very little oversight or controls, even in the face of frequent and high profile incidents of sensitive data loss. The Ponemon Institute is an independent group that conducts studies on critical issues affecting the management and security of sensitive information about people and organizations.

The study underscores the pressing need for organizations to adopt more secure USB products and policies. A group of 743 IT professionals and IT security practitioners from global companies based in the United States were polled, and all acknowledged the importance of USB drives from a productivity standpoint. They cautioned, however, about the lack of organizational focus regarding security for these tools to meet appropriate data protection and business objectives.

The most recent example of how easily rogue USB drives can enter an organization can be seen in a U.S. Department of Homeland Security test in which USBs were ‘accidentally’ dropped in government parking lots. Without any identifying markings on the USB stick, 60 percent of employees plugged the drives into government computers. With a ‘valid’ government seal, the plug-in rate reached 90 percent.

According to the Ponemon study, more than 40 percent of organizations surveyed report having more than 50,000 USB drives in use in their organizations, with nearly 20 percent having more than 100,000 drives in circulation. The study finds that a whopping 71 percent of respondents do not consider the protection of confidential and sensitive information on USB Flash drives to be a high priority. At the same time, the majority of these same respondents feel that data breaches are caused by missing USB drives.

The Ponemon study concluded that a staggering 12,000 customer, consumer and employee records were believed to be lost on average by these same companies as a result of missing USBs. According to a previously released Ponemon report, the average cost of a data breach is $214 per record, making the potential average total cost of lost records to the organizations surveyed for the Ponemon USB Flash drive study, reach upwards of $2.5 million (USD). Other key findings in the report include:

Evidence of widespread compromise is apparent:

  • Nearly 50 percent of organizations confirmed lost drives containing sensitive or confidential information in the past 24 months.
  • The majority of those organizations (67 percent) confirmed that they had multiple loss events – in some cases, more than 10 separate events.

Oversight and control of USBs in enterprises can be better:

  • Free USB sticks from conferences/trade shows, business meetings and similar events are used by 72 percent of employees ― even in organizations that mandate the use of secure USBs.
  • In terms of policies and controls, of the hundreds of IT professionals and IT security professionals polled, only 29 percent felt that their organizations had adequate policies to prevent USB misuse.

“An unsecured USB drive can open the door for major data loss incidents,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute. “Organizations watch very carefully, and put a plethora of controls around, what enters their businesses from cyberspace. This study drives home the point that they must also take a more aggressive stance on addressing the risks that exist in virtually every employee’s pocket.”

“Kingston believes a lack of oversight, education and corporate confusion are factors that lead to the overwhelming majority of data loss when it comes to USB Flash drives,” said John Terpening, Secure USB business manager, Kingston. “Organizations fear that any attempt to control a device like a USB is likely to be futile and costly, both in terms of budget and loss of productivity. However, a simple analysis of what an organization needs and the knowledge that there is a range of easy-to-use, cost-effective, secure USB Flash drive solutions can go a long way toward enabling organizations and their employees to get a handle on the issue.”

The full report can be downloaded from the Kingston Web site.