Majority of IT departments leave major holes in their USB drive security
For the second year in a row, the majority of employers are failing to equip their employees with the appropriate technologies, procedures and policies to ensure data security across the organization, according to Apricorn.
The survey report, which polled nearly 300 employees across industries including education, finance, government, healthcare, legal, retail, manufacturing, and power and energy, examined year-over-year trends of USB drive usage, policies and business drivers.
The report indicated that even though 87% of organizations use USB drives, the majority of IT departments aren’t implementing tools to manage USB device usage. For example:
- Nearly 6 out of 10 organizations (58%) do not use port control / whitelisting software to manage USB device usage.
- More than a quarter of organizations (26%) do not use software-based encryption.
- Less than half of organizations (47%) require the deployment of encryption for data stored on the USB drive.
- Meanwhile, an overwhelming 91% of employees say encrypted USB drives should be mandatory.
In addition to employers’ shortcomings in providing the necessary tools to manage USB device usage, the report also indicated that IT departments’ policies for secure USB device usage are severely lacking. By comparing the key results of this survey against Apricorn’s previous USB data protection report, several concerning trends materialize, including:
- Less than half of organizations (47%) have a lost/stolen USB drive policy in place – compared to 50% in 2017
- The majority of respondents (53%) claimed their organization does not have appropriate technologies to prevent or detect the download of confidential data onto USB drives
- However the majority of respondents (54%) claimed their organization did have those appropriate technologies
- Nearly half of organizations (44%) do not have adequate governance and policies to manage the use of USB drives in the workplace, compared to 42% in 2017’s report
- Less than half of organizations (47%) require the deployment of encryption for data stored on the USB drive (an incremental improvement on the 42% from 2017)
- Finally, while more organizations in 2018 had a policy outlining acceptable use of USB devices than in 2017, more than a third (36%) still don’t have a policy in place
In contrast to these troubling results, the report did reveal one positive trend: there was a 24 percent drop in the number of organizations regularly using non-encrypted USB devices (58 percent in 2018, compared to 82 percent in 2017).
It is vital that this percentage continues to drop, considering that the Ponemon Institute estimated that the average total cost of a data breach increased by six percent between 2017 and 2018, to $3.86M per breach.
The report also suggested that the cloud isn’t the cure-all approach answer, either: more than half (57%) of organizations have low-to-moderate confidence in the cloud for migration and storage of their company’s most sensitive data.
“Considering the increase in volume, sophistication and severity of security threats facing organizations today, it is critical that employers arm their employees with secure USB drives to prevent highly damaging data breaches,” said Mike McCandless, Vice President of Sales and Marketing at Apricorn.
“Even though 90% of employees use USB devices today, the fact that nearly 60% of employers fail to use port control or whitelisting software to manage USB device usage is alarming. Organizations should not only implement strict data security policies, but they also must reinforce that their employees use encrypted USB drives that require a unique PIN.”