USBs pose major security threat

Imagine if every time you left your office building you had to take a four-draw filing cabinet with you. It’s made of metal, and each draw holds 10,000 pages of your confidential documents. It would be a pain to wheel around, but too risky to leave unattended.

This is essentially what happens every time you carry a USB drive out of the office. A tiny two gigabyte memory stick can hold 40,000 pages of scanned documents – a filing cabinet’s worth – and is a lot easier to lose.

But while your boss may become suspicious if you wheeled out a filing cabinet, no one notices [or seems to care] if you take a memory stick home with you. Yet they should, for USB devices pose a major security threat.

This threat is twofold. First, USB storage devices – from ‘pen’ drives of up to 16GB capacity, to portable hard drives (up to about 500GB) and media players such as iPods – are great facilitators of intentional and unintentional ‘data leakage’. This can be costly: a recent report by the European Union Agency for European Network and Information Security (Enisa) found that security breaches involving corporate data on USBs can cost businesses anything from €65,000 (Dh374,735) to €1.6 million per violation. Enisa warned that USBs are usually overlooked by corporate policies on audits, back-ups, encryption and asset management.

“We’ve seen a specific increase in malicious code specifically designed to propagate with the use of USB storage devices and media players,” says Ivor Rankin, Senior Technical Security Practice Manager at Symantec Global Security Services. “Attackers are primarily looking to steal information. On an average, as many as one in every two USB drives contains confidential information.”

Companies working in the UAE need to take a proactive stance on the dangers of USBs especially as Rankin says, “most organisations become aware of the issue because of a breach”.

The answer is to invest in the right software (Symantec’s Vontu product allows companies to manage which USBs are authorised for use, and what information can be copied onto them), and hardware (some of McAfee’s Encrypted USBs include built-in fingerprint scanners, for example).

However, the main factor is education and building awareness. Managers and employees need to be aware that, while USB sticks may be small, they can have a big impact on corporate security.