Misuse of Portable Storage Media Top Insider Threat

March, 2009

 (Irvine, Calif.) – IT executives rank misuse of portable storage devices by employees as the most serious security threat posed by insiders  who unintentionally expose corporations to loss of data, malware, liability, and other security risks.

A new security study by Computer Economics, entitled Insider Misuse of Computing Resources, found that 57% of IT organization rate misuse of portable storage devices as a major threat. Also ranking high among 14 types of insider misuse are unauthorized software downloading (56%), unauthorized use of P2P file-sharing programs (54%), and unauthorized use of remote-access programs (53%).

This study examines only threats posed by insiders who inadvertently expose organizations to risk. A soon-to-be released sister report, Malicious Insider Threats, will address threats where insiders intend to harm the organization or act in a purposeful way that threatens the organization’s interests.

“After taking steps to combat malware and network intrusion, IT executives are increasingly aware that today their largest threats may come from insiders, and they are taking these threats seriously,” said Frank Scavo, president of the IT research and advisory firm. “Yet our study also makes clear that organizations are struggling with understanding how to combat these threats.”

Scavo said, for example, that more a third of all organizations have no policy against loading sensitive data onto portable storage media such as USB flash drives, a practice that can lead to data leakage as well as become a vector for malware to enter the corporate network. “At the same time, the growing capacity of these drives is opening the door ever wider,” he said.

The Computer Economics study, based on a survey of 100 IT security professionals and executives, found that organizations place more emphasis on categories of misuse that can lead to loss of data or expose the organization to liability. In addition to the top-four threats, others threats rated as major by more than 40% of IT organizations include rogue wireless access points; unauthorized modems; downloading of unauthorized media; and use of personal computing devices for business purposes.

IT executives were less concerned about six other threat categories, which were rated as major threats by fewer than 25% of the executives. These included unauthorized blogging or participating in message boards concerning the organization’s business; instant messaging using personal accounts; non-work-related web browsing; and using the organization’s email system for personal matters. These threats primarily concern loss of worker productivity.

A summary of the report’s key findings is freely available.

The full report, Insider Misuse of Computing Resources, analyzes threats, enforcement trends, and policies for each threat. It is available to Computer Economics subscribers and or can be purchased from our website at https://avasant.com/research/computereconomics.