Banks Aren’t Securing USB Ports, Study Reports
Despite all the attention on data security, small devices in banks may lead to big trouble. According to a recent survey by IT asset-management solutions provider Centennial Software (Swindon, England), removable media devices, such as USB flash drives, now represent the No. 1 threat to corporate security, surpassing Web viruses and malware/spyware for the first time.
Only 20 percent of companies, however, have effective measures in place to protect against the threats these devices can pose, Centennial says. According to the study -- which surveyed more than 370 mid- and senior-level IT managers in late April at the InfoSecurity Europe conference in London -- more than 43 percent of companies have no controls in place to manage removable media devices, and 27.4 percent leave it to the manager's discretion; just 8.6 percent have instituted a companywide ban. With more than 65 percent of IT managers reporting that they use USB devices on a daily basis, Centennial notes, there is much room for danger.
USB flash drives, or thumb drives, represent both inbound and outbound threats, according to Matt Fisher, VP, Centennial. Inbound threats consist of employees bringing things onto the network, including Trojans or worms that can propagate across the network, he explains; outbound threats are related to data security and privacy, specifically files taken off the network without permission. "Leaving the use of removable devices at the discretion of staff exacerbates the risks posed by these devices," says Fisher.
Except for a few select cases, Cherry Hill, N.J.-based Commerce Bancorp ($39.5 billion in assets) has banned the use of USB devices to strengthen its data security and privacy efforts, reports James Gertie, the bank's chief risk officer. He says the bank's managed desktop environment is configured to disable spare USB ports and prevents employees from changing their desktop configurations.
While Commerce utilizes an in-house-developed solution, in addition to Centennial, several third-party vendors offer IT-based solutions for securing USB ports at financial institutions. San Ramon, Calif.-based Smartline, for example, offers DeviceLock, which monitors requests to load data onto USB devices and denies or allows those requests depending on the bank's policies.
Centennial's own software product, DeviceWall, sits on a central server where it applies and enforces the financial institution's endpoint security policy and actively deploys it to Windows PCs, according to Fisher. He says more than 30 financial institutions are using the DeviceWall product.
"We chose DeviceWall to help us manage the presence of portable storage devices in our offices and combat the threat of these devices being used to either remove confidential information or introduce malicious code onto the network," said George Kozyrakis, EDP deputy manager for Athens-based National Bank of Greece (US$103 billion in assets), in a release. The bank has nearly 20,000 users of DeviceWall.
Tweet This