Pressemitteilung BoxID: 184527 (ENISA - European Network and Information Security Agency)
  • ENISA - European Network and Information Security Agency
  • P.O. Box 1309
  • 71001 Heraklion, Crete
  • Ansprechpartner
  • Lisa Lindy
  • +30 (2810) 391-399

USB flash drives: small device, major headache?

EU Agency ENISA advises companies on 12 threats from accidental loss or theft of confidential corporate data on unsecured USB flash drives

(PresseBox) (Heraklion, Crete, ) In a report issued today, ENISA, the EU Agency for European Network and Information Security, highlights the potential misuse of USB flash drives to breach security of corporate data or introduce malicious code. The Agency shares good practice in minimising the risk of uncontrolled use of such devices which can cost business anything from €65,000 to €1.6 million per security violation.

Today’s trend of being “always on”, fully mobile and connected has led to the significantly increased use of mobile devices such as notebooks and personal digital assistants. Personal storage devices such as flash drives have become universal business tools in an effort to maintain productivity when out of the office. First marketed in 2000, 85 million USB flash drives were sold in 2007.

And yet these mobile devices often lack security control - 80-90% of USB flash drives sold to business last year were not encrypted – are not stored in a secure location and used without limitation. Despite the fact that they might contain private data, financial information, business plans or other confidential records, ENISA warns that USB flash drives are usually overlooked by corporate policies on audits, back-ups, encryption and asset management.

Often devices are inadvertently lost such as when the UK Revenue and Customs misplaced an unencrypted CD-ROM with the personal details of 25 million taxpayers. In a Datamonitor survey of 1,400 ICT professionals, 60% revealed they had experienced a ‘data leak’, 61% of which believed it to be the work of insiders. More often than not, criminals seek out flash drives as their theft usually goes unreported due to their small size and low cost.

The Executive Director of ENISA, Mr Andrea Pirotti commented: “The cost of a USB flash drive may be insignificant but the value of the data it might contain can be priceless. ENISA strongly encourages companies with highly regulated or sensitive data to better manage the use of ‘plug-and-play’ devices. But equally all organisations should establish a first line of defence by increasing awareness of the risks and available safeguards. Data loss is not just a security concern for the IT department but a strategic issue with far-reaching implications for a firm’s future.”

Among its 19 recommendations, the Agency specifically highlights the importance of a risk assessment to understand the costs of data leakage and the controls needed to offset this threat. Companies also need to introduce security policies for these devices and consider authentication and encryption tools.

The full report is available at:

ENISA - European Network and Information Security Agency

The European Network and Information Security Agency (ENISA) is an agency of the European Union. ENISA was created in 2004 by EU Regulation No 460/2004 and is fully operational since September 1st, 2005. It has its seat in Heraklion, Crete (Greece).

The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.

ENISA assists the Commission, the Member States and, consequently, the business community in meeting the requirements of network and information security, including present and future Community legislation. ENISA ultimately strives to serve as a centre of expertise for both Member States and EU Institutions to seek advice on matters related to network and information securit