When it comes to USB drive security, some countries are clearly taking it more seriously than others. A recent pan-European research from Ponemon Institute found a marked disparity between different countries’ attitudes towards USB drive security and governance, with the UK enterprises not doing particularly well.
Germany leads the way, with 67% of its organisations providing employees with approved USB memory drives, while Denmark, Finland, Norway, the Netherlands, Sweden and Switzerland, also scored highly.
Yet not every country surveyed did quite so well. The UK, along with France and Poland, saw only a third of companies maintaining an effective secure USB governance initiative, with a staggering 72 per cent of those questioned admitting to having suffered a loss of confidential or sensitive data because of missing USB drives in the last two years.
So why are some countries taking a more proactive and engaged approach to USB security? More specifically, why is Germany — with 62% of respondents agreeing that their organisation has an adequate USB security policy in place to prevent employee misuse — leading the field? The answer is Germany’s dedication to enforcing stringent security regulations.
Germany’s Federal Data Protection Act, Bundesdatenschutzgesetz, is the strongest privacy and data protection legislation in the European Union and demonstrates the country’s commitment to protecting customer and employee information. Organisations now face tough data breach notification requirements. The regulations in place have definitely made organisations more conscious of the need to invest in security.
In addition, as high profile data breaches continue to make headlines and cyber-attacks are detected more frequently, German organisations are being proactive in addressing the threats. German organisations also seem to be better at implementing and enforcing policies and procedures to address the risk of employee negligence.
This combined with an appropriate investment in technology makes German organisations more confident than organisations in the UK about their ability to minimise the risk of a data breach, as evidenced in our research.
In fact, according to the survey, Germany has the lowest rate of data breaches due to missing USB drives. German companies view the protection of confidential and sensitive information collected and temporarily stored on USB drives as a high priority. In pursuance of this, 67% of German businesses, compared to only 40% in the UK, provide their employees with approved USB drives.
This is one of the cornerstones of any secure USB drive policy. Organisations should always provide their employees with approved high-quality USB drives featuring 256-bit AES encryption and up-to-date security technologies. Sadly, according to the research, 55% of staff in the UK admitted to using their own unapproved and unregulated devices.
Germany also came top for the percentage of its organisations that had policies describing acceptable or unacceptable uses of USB drives for employees. After all, while the handing out of approved devices to staff is an important first step, German companies realise it is vital to follow this up with a second step of ensuring and enforcing the correct use of these drives.
For example, employees are made aware that they can’t use a USB drive casually picked up at a conference or meeting, but only company-approved devices.
However, simply purchasing secure encrypted USB sticks is no longer enough. Employee negligence takes place with or without governance policies in place so it is more serious. The key is to first understand how employees put sensitive and confidential information at risk in your organisation, then address the risk through enabling technologies and enforceable policies.
Training and awareness programmes are also a vital part of reducing employee negligence. It is important that employees understand not only the importance of safeguarding personal information but also how to comply with the organisation’s policies and procedures.
Part of any effective USB drive security policy should also be regular scans of the devices to detect viruses or malware. That USB drives are commonly used for transferring data or files from one computer to another means they are prime targets for all manner of infections.
This makes it all the more worrying that 71% of UK organisations canvassed in the survey said they had no technologies in place to prevent or detect viruses or malware on USB drives used by their employees.
This is a worryingly low figure. After all, malicious code can be used to steal personal data, confidential company documents or simply allow access to an infected system. It seems UK organisations could and should do more to combat this form of potential intrusion.
What is more, according to another research from the Ponemon Institute, the average cost per record to businesses from data lost on USB devices in the UK is a staggering £73. That figure should be a wake-up call to all European organisations. Put simply, where Germany leads the way, the UK must now follow, with companies introducing best practice policies, procedures and awareness training for their staff before it is too late.