This may be one of the most stunning stories I’ve heard in a long time. According to a new study from AhnLab, South Korea's largest IT security vendor, 78 percent of IT security professionals have admitted to picking up and plugging in abandoned USB flash drives.
Now, I know plenty of people who wouldn’t blink twice about using a flash drive they found, but they aren’t security-savvy people. But IT security professionals, who should know better? After all, aren’t these the same people who are supposed to be warning us of the risks found on USB flash drives and how even brand-new drives are often loaded with malware?
So knowing this, perhaps the other primary statistic to come out of the survey, which took place at last month’s RSA conference, isn’t quite as surprising -- 68 percent had been involved in a security breach at home, work or personally.
The question arises – why are IT security professionals still relying on flash drives to store and transfer data? I’m not the only one wondering about this. John Thielens, CSO at Axway told me:
It is amazing to me in these days of the Internet that the sneakernet [the informal term used by IT professionals to describe the transfer of data using removable media like flash drives] persists, with people moving files around on physical media despite all the dangers of embedded executables and bypassing firewalls. Yet with 64GB flash drives now commonplace, what alternatives are readily available for users to exchange files equally as large with ease? IT needs to step up and provide enterprise-grade file sharing capabilities, with all the visibility and governance controls required to keep us safe while getting our jobs done. With or without sneakers.
I agree with Thielens – I would think that with the advent of the cloud, there is less need for exchanging data via external media drives. But I am still left wondering why exactly these folks are using discarded or lost flash drives at all. After all, as Brian Laing, VP of marketing and business development, AhnLab, pointed out in a release about the survey, Stuxnet gained access to its target system through a “found” USB drive. I can’t imagine that any IT security professional I know wants his claim to fame to be that he corrupted a network because he plugged in a flash drive he found in the parking lot.