A survey performed by Utimaco looks at security of removable storage devices such as USB sticks, thumb drives, memory cards and recordable CD/DVD media. We understand that this is a survey run by a security vendor that says there is a security problem that must be addressed by buying security equipment.
Despite all this, what Utimaco is claiming must be considered. That thought is buttressed by the fact that a lot of other experts -- some without a horse in the race -- agree with the premise that removable media is a significant security threat.
The survey doesn't appear to be scientific, since it was conducted at a security conference and, therefore, was unlikely to get a representative sampling of corporate users. Unfortunately, the fact that the 477 respondents were security professionals suggests that a look at the general population would reveal even deeper challenges.
The survey, which was conducted last autumn, found that while 92 percent of respondents feel data on removable devices should be protected, 60 percent said that it is not. A quarter of respondents store critical business data on removable storage devices, but only 19 percent work at institutions with a security policy in place. Seventy-five percent use more than one removable storage device. The average number of devices is seven.
The bottom line from these numbers is clear: There are a lot of removable storage devices floating around, many of them are employed for business uses and, by and large, they are not well protected. This is hardly good news, and could get worse as the devices evolve. Indeed, it's not only the fact that the portable devices can be used to inappropriately carry data outside the office. Such equipment can bypass firewalls to introduce viruses or otherwise compromise network security.
Removable storage devices cut to the heart of the challenges of mobile security. They have all the characteristics that make CSOs nervous. They are portable and easily hidden, are effectively not under IT's control, are ubiquitous, and rarely come with adequate security. Moreover, the majority of organizations are not likely to deal with the problem head on simply because it is tricky -- and easily ignored.