USB flash drives: small device, major headache?

EU Agency ENISA advises companies on 12 threats from accidental loss or theft of confidential corporate data on unsecured USB flash drives

Heraklion, Crete, (PresseBox) - In a report issued today, ENISA, the EU Agency for European Network and Information Security, highlights the potential misuse of USB flash drives to breach security of corporate data or introduce malicious code. The Agency shares good practice in minimising the risk of uncontrolled use of such devices which can cost business anything from €65,000 to €1.6 million per security violation.

Today’s trend of being “always on”, fully mobile and connected has led to the significantly increased use of mobile devices such as notebooks and personal digital assistants. Personal storage devices such as flash drives have become universal business tools in an effort to maintain productivity when out of the office. First marketed in 2000, 85 million USB flash drives were sold in 2007.

And yet these mobile devices often lack security control - 80-90% of USB flash drives sold to business last year were not encrypted – are not stored in a secure location and used without limitation. Despite the fact that they might contain private data, financial information, business plans or other confidential records, ENISA warns that USB flash drives are usually overlooked by corporate policies on audits, back-ups, encryption and asset management.

Often devices are inadvertently lost such as when the UK Revenue and Customs misplaced an unencrypted CD-ROM with the personal details of 25 million taxpayers. In a Datamonitor survey of 1,400 ICT professionals, 60% revealed they had experienced a ‘data leak’, 61% of which believed it to be the work of insiders. More often than not, criminals seek out flash drives as their theft usually goes unreported due to their small size and low cost.

The Executive Director of ENISA, Mr Andrea Pirotti commented: “The cost of a USB flash drive may be insignificant but the value of the data it might contain can be priceless. ENISA strongly encourages companies with highly regulated or sensitive data to better manage the use of ‘plug-and-play’ devices. But equally all organisations should establish a first line of defence by increasing awareness of the risks and available safeguards. Data loss is not just a security concern for the IT department but a strategic issue with far-reaching implications for a firm’s future.”

Among its 19 recommendations, the Agency specifically highlights the importance of a risk assessment to understand the costs of data leakage and the controls needed to offset this threat. Companies also need to introduce security policies for these devices and consider authentication and encryption tools.

The full report is available at:

ENISA - European Network and Information Security Agency

The European Network and Information Security Agency (ENISA) is an agency of the European Union. ENISA was created in 2004 by EU Regulation No 460/2004 and is fully operational since September 1st, 2005. It has its seat in Heraklion, Crete (Greece).

The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.

ENISA assists the Commission, the Member States and, consequently, the business community in meeting the requirements of network and information security, including present and future Community legislation. ENISA ultimately strives to serve as a centre of expertise for both Member States and EU Institutions to seek advice on matters related to network and information securit

Press releases you might also be interested in

Weitere Informationen zum Thema "Sicherheit":

Grundlagen der Endpoint Security

End­po­int Pro­tec­ti­on-Lö­sun­gen si­chern die Work­sta­ti­ons und Ser­ver im Netz ge­gen An­grif­fe al­ler Art ab. Sie be­ste­hen üb­li­cher­wei­se ei­ner­seits aus ei­ner zen­tra­len Ver­wal­tungs­kon­so­le, über die die zu­stän­di­gen Mit­ar­bei­ter die Kon­fi­gu­ra­ti­on vor­neh­men, und an­de­rer­seits Agen­ten, die auf den zu si­chern­den Cli­ents lau­fen und dort die Po­li­cies um­set­zen, die im Ma­na­ge­ment-Tool fest­ge­legt wur­den. Se­cu­ri­ty-In­s­i­der zeigt, wel­che Funk­tio­nen ein gu­tes End­po­int Pro­tec­ti­on-Pro­dukt mit­brin­gen soll­te und stellt au­ßer­dem die wich­tigs­ten Her­s­tel­ler in die­sem Be­reich vor.


Subscribe for news

The subscribtion service of the PresseBox informs you about press information of a certain topic by your choice at a choosen time. Please enter your email address to receive the email with the press releases.

An error occurred!

Thank you! You will receive a confirmation email within a few minutes.

I want to subscribe to the gratis press mail and have read and accepted the conditions.