‘Sloppy’ Plug & Play USB Device Security Is Rife On British Computer Networks,Study Shows

The majority of UK companies have left themselves exposed over the growth in use of insecure ‘plug & play’ portable devices on computer networks, with most having no policies for controlling their rise. This is despite a study, which showed that 63 per cent of employees admit to connecting unchecked devices to corporate networks and more than a third revealing that devices were obtained from third parties as gifts, with no clearly identifiable source.

These were the key findings of the BeCrypt Mobile Enterprise Security Study 2004, which looked at usage patterns and policies for portable gadgets in the workplace -USB connected devices such as memory keys, flash drives, music players such as the Apple iPod and smart mobile phones. It also examined whether organisation-wide security was in place and employees’ own views on who should be liable if portable device use causes data loss or theft.

More than half of those surveyed had connected devices to computers at work in order to take data off site, introducing the risk of accidental or malicious use of external media to ‘leak’ private or classified data. Nearly a quarter of respondents admitted having lost portable storage devices and more than half claimed ignorance over the impact that the misuse of portable storage devices could have on overall data security. The need for employers to give more guidance on how to use portable storage devices in the work place and the related personal liabilities was also highlighted by 85 per cent of employees.

“Sloppy security practices and policy is making the rise of USB devices a real menace for British employers,” said Peter Jaco, CEO, BeCrypt. “The problem is that USB device users are free to connect any device they wish and could remove key corporate data. Security policies need to lockdown USB device use, but also regulate and permit usage where devices are truly useful.”

Analyst firm Gartner recently warned of the risk of iPods being used to download sensitive corporate data, and many organisations have already learnt first hand of the risk of malicious software being introduced through employees connecting devices unchecked to computers and hence to networks.

The BeCrypt Mobile Enterprise Security Study, which surveyed the views of a random sample of 180 employees during July to September 2004 was undertaken as part of the development of Connect Protect, a new BeCrypt product that will for the first time provide secure, regulated connection of USB devices to laptops and PCs in line with corporate security policy. .

Recommendations:
Based on the findings, BeCrypt recommends that organisations look to include the control of portable storage devices as part of their enterprise-wide data security strategies as follows:

1. A clearly defined process for communicating to employees the security policies that determine USB device usage. This will clearly demonstrate the level of security risk connecting devices to the network poses and employee liability if policies are not adhered to
2. A level of flexibility that takes into account the diverse needs of different users or machine groups, ranging from portable USB storage devices to high capacity removable storage devices such as FireWire drives
3. Clear guidelines to employees looking to connect non-approved USB devices to the network with a timeframe governing how long it will take to get new devices authorised
4. A clear procedure for how to report the theft or loss of a portable storage device and a record of data held on corporate devices
5. A method of recording all manually registered USB devices that are being introduced to the enterprise within any centrally managed environment

A copy of the management report can be downloaded from http://www.becrypt.com/management_report.cfm

About BeCrypt

BeCrypt Limited was formed in 2001 to meet the growing demand for high-level computer encryption products in the international government and corporate marketplace. The company is a leading provider of enterprise encryption and security products designed to fully protect all corporate data. BeCrypt products protect customers in a number of key UK government areas including: central and local government, the military and defence sector, law enforcement and transportation. The company also services the commercial sector with key customers in financial services, pharmaceutical, insurance and banking sectors.

BeCrypt’s DISK Protect and PDA Protect products have been designed to meet stringent government security standards and have been approved by the UK Government’s Information Assurance group, the Communications Electronics Security Group (CESG) within GCHQ. This approval ensures BeCrypt products have met the needs of Government level security policy and standards without compromising usability.

BeCrypt has won an award from the Department of Trade and Industry for innovative technology and has patents pending on a number of unique encryption technologies.

Further information at http://www.becrypt.com