Encrypted memory sticks could cure user carelessness

As the price of USB pen drives decreases, so does the inherent value employees attach to them. Two recent studies show that users have very little security awareness when it comes to memory sticks.

A quick scan of eBay shows you can buy low-end 32 GB memory sticks for as little as £20. Meanwhile, a 4 GB device, which would have been beyond imagining just a few years ago, can now be bought for a fiver, while 1 GB models are almost given away.

But therein lies the problem. Everyone knows that USB sticks are, figuratively speaking, two a penny, so if you lose one, you just find another one to use. It’s just like losing a ballpoint pen; it’s not worth the trouble of looking for it.

However, while the cheap USB pen drives themselves may have virtually no monetary value, the data they often hold -- customer information, personal health records or intellectual property -- can be invaluable. Add to that the danger of an infected USB device being brought into an organisation, plugged into a networked PC and spreading malware to other users, and a serious security situation could result.

A new study carried out by Swedish USB stick manufacturer BlockMaster AB questioned more than 1,000 office workers in London about their attitudes toward using memory sticks. Three-quarters of respondents said that if they found a USB stick somewhere, they would not hesitate to plug it into their corporate PC, potentially opening their network to whatever malware might have been planted on the device.

Another 20% admitted they had lost a USB stick containing unprotected sensitive information.

“This is alarming, as many viruses on USB sticks can run as soon as they are plugged into a PC … causing widespread damage to a corporate network,” said Anders Kjellander, CSO at BlockMaster. “Even if unprotected USB sticks are not infected with viruses or worms, they can contain sensitive corporate data.”

And where do those lost USB sticks end up? Older studies have suggested a good number end up in the back of London taxis, along with a whole bundle of phones, PDAs and laptop computers, but one new piece of research throws new light on the habits of thumb drive users.

Credant Technologies, which specialises in endpoint security, surveyed 500 dry cleaners and laundrettes in the UK during December 2010 and January 2011. Bearing in mind that the UK has around 4,500 dry cleaners and laundrettes, the research extrapolated the results from the survey sample, and estimated that more than 17,000 USB sticks were left in clothes dropped off for cleaning in the UK during 2010.

These two pieces of research underline a problem that could be costly for organisations, both in terms of their reputations and in fines from the Information Commissioners Office (ICO) if personal information fails to be suitably protected on laptops, USB sticks or any other lost device.

In Feb. 2011, the ICO handed out financial penalties to two local councils that had failed to ensure personal information was encrypted on laptop computers.

And on Feb. 23, 2011, Mark Lloyd, the chief executive of Cambridgeshire County Council, was forced by the ICO to publish a signed undertaking, pledging to tighten security after a member of the Council's staff lost an unencrypted USB stick containing some personal data relating to vulnerable adults.

“While Cambridgeshire County Council clearly recognises the importance of encrypting devices in order to keep personal data secure, this case shows that organisations need to check their data protection policies are continually followed and fully understood by staff,” said Sally-Anne Poole, enforcement group manager at the ICO, in a statement. She also welcomed the fact that the council has “agreed to carry out regular and routine monitoring of its encryption policy to ensure it is being followed.”

Read more on Identity and access management products