Report: USB Security no PICNIC, calls for more capable management

Posted by: on Sep 19, 2011 | No Comments

According to a recent research paper and survey conducted by the Ponemon Institute, a big part of the reason corporations across the board are at such great risk with the use of USB flash drives, boils down to good, old fashioned employee negligence.An old acronym, PICNIC, ever popular among IT hounds, is nowhere more appropriate than it is in this discussion of the Ponemon Institute’s findings on USB Safety and Security and the accompanying (and harrowing) failure of companies to maintain proper oversight over employees and their stubborn unwillingness to seriously consider the need for appropriate USB management initiatives.

Problem In Chair Not In Computer

According to the report (The State of USB Drive Security: U.S. Survey of IT and IT security practitioners) employee negligence regarding USB drives does in fact play a substantial role in the inability of corporations to ensure the safety and security of corporate data. Out of 743 IT and security professionals surveyed (each with an average 10 years’ of experience), a whopping 78% said that employees use USB drives at work without obtaining advance permission to do so (50% actively, 28% frequently); 73% said that employees lose USB drives without notifying appropriate authorities about the incident; and 72% said that employees use generic USB drives such as those received ‘free’ at conferences, trade events and business meetings.

The fact is, no matter how you slice it or skew it, the human element results in the fact that there is always going to be a substantial safety risk when it comes to the security of USB drives and devices – and nowhere is it safe. Your employees are human. The folks running companies are human. (Even those running the leanest, meanest corporations in the world – think, for example, of the incident last May, when IBM had to apologize for distributing malware-infected USB keys at an Australian security conference).

Employers And Organizations Almost Equally Responsible

Despite the harsh spotlight hovering over employees, the report does not limit its critique to employees. Employers and organizations are almost equally responsible. According to the report, 75% of those surveyed said their organizations displayed a clear unwillingness “to pay a premium to ensure USB drives used by employees [were] safe and secure.” Only 19% of those surveyed said their organizations were capable of asset tracking; a paltry 13% said their organizations had the wherewithal for internal auditing and 13% said that their organizations employed network intelligence tools. The survey also indicated that a mere 38% of organizations supplied employees with an approved USB drive for use in the workplace.

Furthermore, only 13 percent of those surveyed said that their organization has policy requiring end-users to contact the help desk immediately when a device is lost; two percent said their organization has the capacity to implement a remote termination of devices (kill switch); and an overwhelming 58% said that no formal procedures whatsoever are in place to deal with the risks of lost USB drives.

Considering that the organizations involved in the study have lost an average of 12,000 records (customer, consumer, employee) due to missing, lost or stolen USB flash drives, the results of this research seem almost impossible – so much so, that the workplace must be missing out on a fundamental understanding, here.
And what is that fundamental lack of understanding?

It is, quite simply, this: the management and supervision of USB devices within an enterprise (and their usage by employees within an organization) CANNOT BE LEFT OPEN AND VULNERABLE TO PREVAILING HUMAN ERROR AND/OR OMITTANCE. It is simply too intricate, and important. That said, it is, without question, time for organizations to more seriously consider the importance of employing a central USB management platform such as BlockMaster’s SafeConsole.

Protect Your Organization From The Human Element

SafeConsole empowers organizations to have a full, complete and comprehensive understanding of where their USB drives are (full internal audit and content audit) at all times, and allows for the remote management and/or termination of a flash drive at all times – including password reset. SafeConsole is easy to deploy and consists of a comprehensive array of features that take the human error out of the USB management equation. SafeConsole, with its FileRestrictor feature, allows organizations to relieve human users from having to protect their devices by taking a white-list approach to preventing the storage of unauthorized file-types and can prevent unauthorized autorun files from residing on a drive in the first place. FileRestrictor also has the capacity to perform on-board virus scans without interrupting working users…Are your, um, employees, do you think, going to be able to manage those types of things for you?

There is no doubt that USB safety and security is a huge problem; there is no doubt that the human element (negligence of employees/unwillingness of organizations to understand and invest) are driving the problem along; and there is no doubt that SafeConsole can provide appropriate USB management solutions that are not susceptible to the ravages of human negligence, error and omission…

Leave a Reply