Most IT professionals fail to encrypt USB, survey reveals

Over half of IT professionals do not encrypt the USB sticks they use to store company data, a survey has revealed.

Over half of IT professionals do not encrypt the USB sticks they use to store company data, a survey has revealed.

Some 11% of over 200 IT professionals polled at Infosecurity Europe 2010 by security firm Credant Technologies said they used only a password to protect their mobile storage devices.

Sixty-seven per cent admitted they carried information relating to their company's intellectual property, 40% carried customer data and 26% carried employee details.

The loss of personal data on unprotected USB devices is common in the UK, with at least one case reported in the past month by the Information Commissioner's Office (ICO).

The ICO found the West Berkshire Council in breach of the Data Protection Act (DPA) for losing personal information on a USB stick that was neither encrypted nor password protected.

The NHS accounts for a quarter of all data breaches reported, and the ICO has said it remains highly concerned that data breaches involving personal information continue in NHS organisations.

The legal sector, where confidentiality of information is extremely important, appears to be succeeding where the health sector is failing.

International law firm Bird & Bird has been using encryption for all portable media for the past three years.

All Blackberry devices used by the law firm are also encrypted and password protected, said Jon Spencer, infrastructure manager at Bird & Bird.

"It is difficult to understand why all organisations are not routinely encrypting information stored on portable media or smartphones," he said.

If over half of all IT professionals are carrying unprotected sensitive information on USB sticks, the problem may be bigger across all sectors, said Sean Glynn, vice-president and chief marketing officer of Credant Technologies.

"It makes me question what needs to happen to make organisations wake up to the risk," he said.

The ICO has warned that it will not hesitate to impose fines of up to £500,000 on organisations found guilty of serious breaches of personal data.

But privacy and legal experts have said bigger the fines introduced in April may still not be big enough to be taken seriously by big business.

Read more on Hackers and cybercrime prevention