The overlooked security threat that could cost businesses $2.5 million

USB drives can boost productivity by allowing users to bring work data with them wherever they need it. But those drives’ portability also makes them a big security risk that IT must deal with.

Take the recent case of East Surrey Hospital in Redhill, UK, which recently revealed it had lost personal medical details of about 800 patients contained on a USB thumb drive misplaced by an employee.

The data loss took place in September 2010, but wasn’t announced until the hospital put out a recent annual report, according to the Crawley Observer. The hospital admitted the drive was unencrypted and that the data contained on it included names, dates of birth and medical information.

The report stated that the hospital does have strict policies requiring employees to use encryption when they carry data on USB drives, but acknowledged that management must make sure employees are aware of and follow the policy.

East Surrey Hospital certainly isn’t the only organization to lose data because of portable USB drives. In fact, those that haven’t are in the minority, according to a recent survey by the Ponemon Institute. Of the 743 IT managers surveyed, 47% were certain and 23% believed it was most likely that their company had experienced a data breach because of information contained on a missing USB drive.

The survey also found that employees regularly engage in dangerous behaviors with USB drives, and companies aren’t doing enough to stop them. Respondents admitted that their organization’s employees:

  1. Use USB drives at work without getting permission to do so (cited by 78% of respondents)
  2. Lose USB drives without notifying management (73%), and
  3. Regularly use generic USB drives, such as those given out for free at trade shows (72%).

The consequences of that behavior can be huge for companies — Ponemon estimates organizations have exposed an average of 12,000 records due to lost USB drives over the past two years. With estimated losses of $214 per record, that means misplaced USB drives could have cost each of those businesses more than $2.5 million.

To prevent those losses, Ponemon recommends IT managers:

  1. Provide encrypted USB drives to users that deal with sensitive data. Research and anecdotal evidence shows they’re going to use those drives anyway, so they should use models that are approved by IT.
  2. Monitor behavior and enforce policies. Just 48% of respondents said they have policies defining acceptable use of USB drives — and even worse, 58% of those that have policies don’t enforce compliance. IT should use monitoring tools to make sure the rules are being followed.
  3. Train users so they’re aware of the policy. Just 29% of respondents said they use employee training to enforce policies regarding USB drives. Users can’t be expected to follow the rules if they aren’t given a clear explanation of what the policies are and why they exist.

To read more, download Ponemon’s report here.