The U.S. military recently underscored the problem in confirming that a 2008 attack on its systems originated with a flash drive plugged into a military computer located in the Middle East. The attack served as a wake-up call to the Pentagon, which responded by banning USB flash drives for more than a year. The ban was lifted earlier this year.
Few companies have locked down their systems against devices that can be used to steal data or infect networks from behind the perimeter. Earlier this year, a variant of an attack program known as Stuxnet used USB and other methods to spread among power companies, stealing information on the configuration of their sensitive operational networks.
Panda Security recently reported that 32% of small and midsize businesses cite USB flash drives and other external memory devices as the vector for viruses that infected victims. Almost half of all U.S. companies have been infected by a virus via a USB flash drive.
An employee who takes work home by loading it onto a USB flash drive could lose the device, exposing potentially valuable data. That raises a question: Is the threat posed by the device or by data on the device?
In a recent Ponemon Institute survey of IT security and operations managers, funded by Lumension, nearly 60% of respondents rated technology to control USB and other devices as important or very important, while 57% gave a similar rating to data-loss prevention technologies. However, antivirus and anti-malware technologies, whole-disk encryption, application controls, patch management, and IT asset management were all rated as more essential.
Employee education is part of the fight to secure companies against such mobile devices. In addition, encryption, role-based authentication, and data-loss protection can all help reduce the threat.