The state of USB data protection

Share this…

Data protection, whether related to personal customer or patient information, is critical across virtually all industries.  A survey made by information security trainingresearchers revealed that while USB drives are ubiquitous and widely used by employees across all industries, security policies for these devices are often severely outdated or inadequate for protecting critical enterprise data. Also, by failing to effectively monitor USB usage, organizations are leaving themselves vulnerable to data breaches, potentially putting their clients’ and employees’ personal information at risk of attack or unauthorized access.


The majority of employees rely on USB devices. In fact, nine out of 10 employees rely on USB devices today and 69 percent of respondents maintain that USB drives increase workplace productivity. Unfortunately, the data also shows that these employees are more likely to be using non-encrypted, unsecure devices, only 20 percent of them utilizing encryption. Conversely, the vast majority of employees surveyed, 80 percent, use non-encrypted USBs, such as those received for free at conferences, trade events or business meetings, which are not only insecure themselves, but can also introduce malware or Trojan horses into the users corporate systems.

This is not surprising considering only 48 percent of employees surveyed are required to seek permission for external USB use and only 15 percent surveyed actually ask for permission. And while 50 percent of companies have a policy requiring reporting of lost / stolen USB devices, an astounding 87 percent of employees have lost a USB drive and failed to notify their employer. A lack of security policy enforcement such as this, will ultimately compromise an organization’s network, leaving easy access for cybercriminals.

There is confidential information across most industries that if exposed can result in severe brand reputation damage, lost revenue, legal fees, reparation / punitive damage costs, and non-compliance fines, the information security training professionals said. Nearly 80 percent of survey respondents say protection of confidential information stored on USB drives is a high priority. Companies are leaving themselves open to data breaches and leaks by not adequately monitoring these devices and the data that gets written to them.

Although companies understand the importance of USB drives for efficiency and productivity, 50 percent are not required to seek permission for external USB drive usage. Perhaps it’s not surprising, then, that these and other lax security policies will ultimately leave organizations vulnerable to data compromise and attack. What’s more, the employees that are required to seek permission for using USB drives, often don’t, which also leaves their respective organizations unprotected and exposed to potential threats.

Of those that participated, 58 percent believe that their organizations have adequate governance and policies to manage the use of USB drives in the workplace and 54 percent surveyed have the appropriate technologies to prevent or detect the downloading of confidential data onto USB drives. It’s important for companies to have USB device policies in place that cover all areas including USB device usage, and lost or stolen USB device policies, however the key is that the policies need to be enforced. As the survey data proves, companies have policies in place but unfortunately most employees don’t abide by them.

Now, it’s critical that organizations, particularly those that house intellectual property, supply their employees with secure USB’s that defend against data breaches and cyberattacks. In light of an increasing number of data breaches and cyberattacks, companies will need to carefully monitor the data that is both being created and leaving their respective organizations. For government, healthcare, finance, and education industries that generate, store and move copious amounts of sensitive information on the network, the implications are awful.

It’s time organizations start taking back control of their data by implementing a foolproof security policy that includes USB port control / whitelisting of allowable removable devices and providing employees with USBs that include software-free, onboard authentication and military grade 256-bit encryption, the information security training professionals said.

When employees encrypt their USB devices they are safeguarding the organizations sensitive data and protecting themselves. Encrypted USB drives are easy to use and the cost of protecting your data is nominal in comparison when considering the financial consequences of a data leak.