Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:55 PM
Nancy Feig
Nancy Feig
Connect Directly

Banks Aren’t Securing USB Ports, Study Reports

Removable media devices pose dangers for banks without effective controls, according to a recent study by IT asset-management solutions provider Centennial Software.

Despite all the attention on data security, small devices in banks may lead to big trouble. According to a recent survey by IT asset-management solutions provider Centennial Software (Swindon, England), removable media devices, such as USB flash drives, now represent the No. 1 threat to corporate security, surpassing Web viruses and malware/spyware for the first time.

Only 20 percent of companies, however, have effective measures in place to protect against the threats these devices can pose, Centennial says. According to the study -- which surveyed more than 370 mid- and senior-level IT managers in late April at the InfoSecurity Europe conference in London -- more than 43 percent of companies have no controls in place to manage removable media devices, and 27.4 percent leave it to the manager's discretion; just 8.6 percent have instituted a companywide ban. With more than 65 percent of IT managers reporting that they use USB devices on a daily basis, Centennial notes, there is much room for danger.

USB flash drives, or thumb drives, represent both inbound and outbound threats, according to Matt Fisher, VP, Centennial. Inbound threats consist of employees bringing things onto the network, including Trojans or worms that can propagate across the network, he explains; outbound threats are related to data security and privacy, specifically files taken off the network without permission. "Leaving the use of removable devices at the discretion of staff exacerbates the risks posed by these devices," says Fisher.

Except for a few select cases, Cherry Hill, N.J.-based Commerce Bancorp ($39.5 billion in assets) has banned the use of USB devices to strengthen its data security and privacy efforts, reports James Gertie, the bank's chief risk officer. He says the bank's managed desktop environment is configured to disable spare USB ports and prevents employees from changing their desktop configurations.

While Commerce utilizes an in-house-developed solution, in addition to Centennial, several third-party vendors offer IT-based solutions for securing USB ports at financial institutions. San Ramon, Calif.-based Smartline, for example, offers DeviceLock, which monitors requests to load data onto USB devices and denies or allows those requests depending on the bank's policies.

Centennial's own software product, DeviceWall, sits on a central server where it applies and enforces the financial institution's endpoint security policy and actively deploys it to Windows PCs, according to Fisher. He says more than 30 financial institutions are using the DeviceWall product.

"We chose DeviceWall to help us manage the presence of portable storage devices in our offices and combat the threat of these devices being used to either remove confidential information or introduce malicious code onto the network," said George Kozyrakis, EDP deputy manager for Athens-based National Bank of Greece (US$103 billion in assets), in a release. The bank has nearly 20,000 users of DeviceWall.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.