A survey of dry cleaners and laundrettes in the UK discovered more than 17,000 USB sticks were left behind in 2010 in clothes left to be dry cleaned. This is a 400 percent increase from 2009. More than 500 dry cleaners and laundrettes from around the U.K. participated in the research survey.
The numbers of USB sticks forgotten in trousers and shirt pockets is staggering and is a direct result of growth in ‘IT consumerisation,’ as consumers today carry more and more mobile devices than ever before, such as smart phones, laptops, iPads, USB sticks and other portable devices
Inevitably, unsuspecting consumers leave the USB sticks behind, creating a potential risk for their employers if these devices have proprietary information on them and end up in the hands of criminals.
IT consumerisation refers to the incremental use of personal, consumer electronics and web services in an enterprise environment, particularly mobile technology that can be used to store personal and private data. USBs are the cheapest and most convenient means of storing private data; however, they are most likely also the most easily lost devices.
With so many thousands of USBs left in dry cleaners alone, the probability increases that valuable corporate data resides on them, presenting a potential security risk for a consumer’s employer. In the U.K., the Information Commissioner’s Office (ICO) was given the power to issue fines of up to £500,000 in April 2010 for breaches of the Data Protection Act (DPA). Four major fines have been issued since then, with two local authorities falling victim this month—Ealing Council for £80,000 and Hounslow Council for £70,000.
The public sector is looking to make savings of £81billion over the next four years, and at the very least, this could be one way to make up some of the deficit. There remains one thing more important even than the potential £8.6 billion in revenues that could be generated if we were to assume that each of these USB sticks contained sensitive information, and were not encrypted.
This type of assertive action from the ICO would make the corporations and organisations that regularly access and use potentially sensitive information finally put the policies, technologies and protections in place that can mitigate this risk.
Such technologies are available today in the market, offering the centralised detection, encryption, auditing and compliance reporting that organisations need to ensure the protection of their data. With the best intentions in the world, the reality is devices are often left behind and the information they contain could be devastating if disclosed—over and beyond the ICO fines. Organizations need to plan for this when developing their security strategies.