Report Reveals that Companies’ Biggest Data Security Threat is … Their Own Employees? 

By Walter Fiorentini, Apricorn

Cybercriminals are a scourge to every company: the security breaches they execute can inflict considerable damage to an organization’s reputation and bottom line, as well as a litany of logistical headaches. And that bottom line impact is significant: the Ponemon Institute recently estimated that the average total cost of a data breach increased by six percent between 2017 and 2018, to a colossal $3.86M per breach.

But according to a new report compiled by USB data storage device manufacturer Apricorn on organizations’ usage of USB drives, ironically, the biggest security threat to most organizations is a group of people the organization probably trusts the most: its employees.

While the vast majority of employees’ intentions towards data security are good – or at least, not nefarious – they are cutting corners when it comes to compliance with their employers’ data security policies. And whether those corners are being cut deliberately or not is ultimately beside the point, as the net result is that employees are placing their organizations at considerable risk when it comes to securing company, employee and customer data.

The report, which polled nearly 300 employees across industries including education, finance, government, healthcare, legal, retail, manufacturing, and power and energy, examined year-over-year trends of USB drive usage, policies and business drivers. The eye-opening results revealed that for the second year in a row, employees are aware of the risks associated with inadequate USB drive security – but aren’t following best practices, and are falling out of policy compliance.

The report found that while employees have been the main driving factor behind the adoption of USB drives in the workplace (according to 68 percent of respondents), security hasn’t been top-of-mind once the drives are in employees’ possession. And considering that employees are increasingly working remotely, the data on those drives is regularly taken outside of the company’s four walls – which further exposes the company to a wide range of security risks and threats. Following are the report’s most notable findings on employee usage of USB drives:


  • While 91 percent of respondents claimed that encrypted USB drives should be mandatory, a full 58 percent of respondents confirmed that they regularly use non-encrypted USB drives
  • Meanwhile, although 64 percent of organizations have a policy outlining acceptable use of USB devices, 64 percent of respondents said their employees use USB drives without obtaining advance permission to do so
  • In addition, in another example of employees discarding best practices and policies, nearly half of employees lost a USB drive without notifying appropriate authorities about the incident

Compounding the issue, employees are taking more security shortcuts than ever before, such as using USB drives without obtaining advance permission to do so; not notifying appropriate authorities after losing a USB drive; and increasingly using non-encrypted USB drives, such as those received “free” at conferences.

Based on these findings, what can organizations do to mitigate the data security risks introduced by their employees? The good news is, all is not lost– far from it, in fact. In order to defend against the data security shortcuts employees will invariably take – or to remove these shortcuts completely – organizations should:

  • Only distribute encrypted USB drives – no more unencrypted USB storage devices!
  • Institute port control to manage device network access – you don’t have to seal up your USB ports
  • Implement whitelisting software – prevent any and all non-compliant drives to be introduced to the organization

Ultimately, Apricorn’s report confirms that while employees have good intentions for USB device security, employers need to implement and communicate strict security policies and the necessary tools that keep employees compliant by eliminating the means to deviate.


To download the full report, “The State of USB Data Protection 2019: Employee Spotlight,” please visit:


July 18, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!