iPods, Portable Storage Devices Growing Threat For Workplace Data Leakage

• Jul 25, 2007

CREDANT Technologies recentlyreleased the results of a survey of 323 directors, managers, CIOs, CEOs and others from the fields of IT, banking and finance, medicine, government, and education on the use of portable data storage devices including iPods, MP3 players, USB flash drives, and data-centric smart phones/SD cards in the workplace. The objective of the survey was to find out if organizations are prepared for data breaches from iPods, whose storage capacity reaches 80 gigabytes, as well as MP3 players and USB flash drives.

The survey found that although organizations see rapid growth in the use of these portable storage devices, few have a solution to prevent widespread data loss via these easy-to-lose devices. In addition, CREDANT conducted a video survey of workers who use iPods in corporations throughout Silicon Valley, with the same sobering results.

"One of the leading industry research firms estimated that the shipment of USB flash drives would exceed 114 million and SD/CF cards would exceed 375 million by the end of 2006. And Apple has sold over 100 million iPods," said Bob Heard, CEO and founder, CREDANT Technologies. "These highly vulnerable portable storage devices continue to push the consumerization of IT to the limit. Alarmingly, although people think that iPods pose a threat to their organization, too few people understand what that threat is and too few organizations are prepared to address the issue."

The following are the top five key findings from the survey:

• 86 percent of those polled cited the USB flash drive as the device most often used to store data exchanged between computers; data-centric smart phones with SD cards came in second. But when asked to rank these devices as a source of data leakage, respondents thought the iPod was as much of a threat as the SD card/smart phone: 78 percent identified the USB flash drive as the greatest threat to organizations, 13 percent chose the data-centric smart phone, and 10 percent said the iPod was the biggest threat to corporate data.
• Use of the iPod at work is high, with 61 percent of respondents stating that they use their iPod when traveling or at work. iPods are being brought into the workplace by Generation X and Y employees (ages 18-30). These generations have grown up with computers, and the transition from thinking of the iPod as simply an audio player will change quickly as more and more users consolidate storage devices and learn how easily an iPod or an MP3 player can be used to store large amounts of data.
• There is a lack of understanding as to the threat iPod use poses to an organization. Widely used at work, their data leakage threat is not nearly as well understood as that of the USB flash drive. Although 61 percent of respondents had never heard of "pod slurping" (the downloading of corporate data to an iPod), 67 percent believe that iPods and similar devices are a threat now. Organizations are faced with the challenge of making sure that all data stored on iPods and other portable devices is secured because the issue of data privacy and the requirement to encrypt data applies to any platform or vehicle used to store personally identifiable data -- and an 80 gigabyte iPod can hold a lot of data.
• Despite the fact that 67 percent of all respondents believe that iPods are a security threat today, 49 percent said they would not take any preventative action to protect against potential breaches until they know the devices are more widely used to store business data.
• Only 6 percent of respondents have an encryption solution for data stored on iPods. And while 46 percent say they have a written security policy governing the use of iPods, 40 percent have done nothing to address this security issue.

Although survey respondents acknowledged that USB flash drives, iPods/MP3 players and data-centric smart phones with SD cards are moving into the workplace and being used to store data, organizations are still reticent about securing these devices. As enterprises, government agencies, schools, and hospitals look for a way to control data leakage from desktops, laptops, USB flash drives and even iPods, there is a clear need to keep track and secure all devices that can store data. Securing these devices not only helps an organization better manage its data assets, it also ensures that the organization has complied with government regulations if a device carrying corporate data or a customer's or patient's identifying information vanishes.

Even the possibility that an employee's lost device has leaked data such as Social Security numbers, addresses, medical histories, or financial information is grounds for notification costs and financial penalties, and could cause a hailstorm of compliance issues and lawsuits. As in the VA case and others, an organization's reputation and business are at stake.