While these devices have evolved considerably over the years and are now able to store enormous volumes of data, this is a double-edged sword. Specifically, convenience and portability must be weighed against the numerous opportunities for sensitive files (financial data, employee’s personal information, or unreleased product specifications, for example) to be compromised if a drive is misplaced. Anyone who has ever lost track of a corporate device during post-work socialising will appreciate how easy this is to do!
Compounding these concerns, cyber criminals are still utilising USB drives as one of their numerous attack strategies, mailing devices loaded with malicious software to employees under the guise of their software provider or even the organisation itself, with the ‘autorun’ feature enabled, so the contents will run immediately, without requiring a prompt. When these are plugged into a corporate device, the malicious software will take effect straight away, before the employee has a chance to take preventative action.
There is also the potential for drives to be used for non-work purposes, which means any malicious software that has infected employees’ personal devices can enter the corporate network. This also further complicates the ongoing challenge of asset tracking and management, and so should be discouraged.
Simple steps to safe use of USB drives and other removable devices
Of course, the simplest way to mitigate the security risks associated with USB drives is a blanket ban on their usage as part of your wider corporate security policies. However, if you feel there is still a good case to be made for their usage in specific circumstances, it is still possible to allow for this while maintaining a robust cyber security posture. However, before you do so, we would strongly recommend you conduct a thorough analysis of the potential risks vs. the potential benefits.
If you decide that there is still a case for USB drives to be used in some capacity, then it is important that you clarify exactly when and why, formalising this as part of your corporate security policies. This must be followed by ongoing training for all staff, to ensure best practice is always followed, especially when it comes to not plugging in devices of unknown origin just to see what’s on them, and not utilising corporate drives for non-work purposes. As we say regularly on this blog (because trust us… it always needs reiterating!), human error remains the leading cause of cyber security breaches. With this in mind, it is vital that you do everything you can to keep your teams informed about the latest risks and their role in mitigating them.
In addition, there are technical measures that can be taken to provide IT teams with the greatest possible control and visibility. For example, centrally managed anti-virus solution, such as Microsoft Defender or Sophos, can enable granular control over USB drives and other removable devices. We would recommend denying all removable storage devices as the default, with permissions granted only by exception. This might mean specific models of drive, or even custom ones, commissioned for your organisation and unavailable elsewhere. Regardless, all should require proper configuration and encryption, with autorun disabled, before they are authorised for use.
Consider the alternative…
In closing, let us offer a suggestion…
The speed of Cloud transformation continues to increase, with a growing range of platforms (e.g. Sharepoint or Google Workspace) now available to support the secure, seamless sharing of information. When utilised in conjunction with a Cloud-ready cyber security ecosystem, these offer an extremely attractive alternative to USB devices, completely eliminating the need to deploy and manage physical devices.
Otherwise, if you’d like to talk cyber security with our own experts and make sure you’ve taken measures to secure against the risks we’ve looked at here, plus the other hidden threats that keep emerging on a seemingly endless basis, don’t hesitate to get in touch!
Does the humble USB drive still have a home in the modern workplace?
USB drives were formerly omnipresent in the workplace, but as the cyber security risks they potentially represent become increasingly apparent, is it time to limit their use, or phase them out altogether?