April 24, 2007 - 12:00
Survey highlights UK companies' naive approach to risks posed by USB sticks, iPods and PDAs
London, UK – 65% of companies needlessly put themselves at risk because they underestimate the threat posed to their network’s security by USB sticks, flash drives, iPods and PDAs, research conducted among 370 UK companies shows.
The results of the survey, conducted by an independent media company, were announced today at Infosecurity Europe 2007 by GFI Software, an international developer of network security, content security and messaging software.
Although 49% of UK companies surveyed are concerned about data theft, 65% do not consider the use of these devices on their network to be a security threat. On the contrary, 71% are of the opinion that the use of portable storage devices is important or very important to the company’s operations.
Nearly half of the respondents said they had no clue how many employees were actually using USB sticks or iPods at the office, and while 37% said it was their company’s policy to monitor portable storage devices, only 22% had some form of hardware or software installed to control their usage on the network.
“The uncontrolled use of portable storage devices by employees is a very real threat to the security and stability of any business. Unfortunately, many businesses are unaware of or ignore the threat until something actually happens,” Andre Muscat, Director, Network Security Products at GFI Software explained.
Security companies have long been warning about the dangers of endpoint devices but recent breaches show that businesses have not learnt the lesson and they are increasingly putting themselves at risk by giving out such devices to employees and encouraging their use.
According to GFI’s research, 83% of UK companies surveyed admit giving their employees USB sticks or PDAs, and that portable storage devices enabled mobile working (76%) and data sharing was made easier (61%).
Portable storage devices are a major threat if companies have no record of what files are being transferred from the network to the device and vice-versa. With only 29% actually logging what data is transferred to and from the network, companies are taking a very naÃ¯;;;;ve approach to this security threat. This was confirmed last February when IT consultancy NCC sent finance directors from 500 listed firms USB sticks forming part of an anonymous invitation saying ‘For Your Chance to Attend the Party of a Lifetime’. According to NCC nearly half of the finance directors and two-thirds of media companies inserted the unidentified memory stick into their computers. Although this was a harmless incident, it proves the point that it only takes one USB stick to upload a virus to a system and only one 4GB USB stick to copy all the company’s most sensitive commercial data.
“This is a growing problem for businesses and our research clearly shows that although companies are concerned about data theft, they must be made aware of the real threats and where they are coming from,” Mr. Muscat added.
While 99% of UK companies said they had antivirus, anti-spam and firewalls installed, 78% did nothing to control the use of portable storage devices and only 9% said they had other security measures or products in place.
“Insider threats are growing and companies need to be more aware of this threat because the repercussions can be enormous,” Mr. Muscat said.
Last February, the Nationwide Building Society was fined Â£980,000 by the Financial Services Authority after details of nearly 11 million customers had been put at risk by an employee who downloaded the data from the company’s network. The FSA said the bank’s failure to manage or monitor downloads of very large amounts of data onto portable storage devices meant that Nationwide had limited control over information held in this way or how it was used.
In many cases, security breaches go unnoticed or administrators are unaware of them. GFI’s research shows that 28% have no idea if they experienced internal security breaches/data theft because of the uncontrolled use of portable devices.
While a few in-house counter-measures that corporations can adopt to prevent unauthorized portable device use exist, they are not the perfect solution. Banning portable storage devices on the corporate premises, the physical blocking of computer access ports, or using Windows Group Policies are common practices, yet they also restrict those who depend on these devices to work, as GFI’s research shows. “The only effective solution to counter portable device threats is to deploy a software solution that allows you to discriminate between legitimate and illegitimate use of devices, in compliance with the custom security policies set up by the corporation. Even if access is granted, the solution should allow you to log all activity so that you can backtrack if and when a security breach actually occurs,” Mr Muscat explained.
What administrators must also realize is that managing risk is always more cost effective than having to react to breaches or incidents. In an ever-growing networked environment where risk is becoming a major concern, administrators have to be ahead of threats and not passively reacting to incidents. Apart from immediate financial repercussions such as business loss, there is the enduring stain of embarrassment and loss of credibility. For a company that prides itself with protecting its customers’ data, a single breach could have irreversible repercussions.
And this is a fact that the majority of the UK companies surveyed by GFI appear to ignore so easily.
More details on endpoint security and iPod slurping can be found at: http://www.gfi.com/whitepapers/pod-slurping-an-easy-technique-for-stealing-data.pdf and http://www.gfi.com/whitepapers/threat-posed-by-portable-storage-devices.pdf.
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. GFI has offices in the US, Malta, UK, Hong Kong and Australia which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners worldwide. GFI is a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.