Removable devices have become commonplace tools in today’s work environment. They include everything from optical disks and memory cards to smartphones, USB flash drives, and external hard drives. An advantage of removable media is that employees can easily take files with them when working from home or traveling for business off-site. However, despite their usefulness, removable devices have long been labeled a security risk. Unencrypted, insecure, and at times infected, they can facilitate the spread of malware on a corporate network and the exfiltration of sensitive data from company computers.
USB devices, in particular, have a long history as the starting point of major data leaks and as a popular attack vector for the infection of company networks. According to the 2019 SANS State of ICS Cybersecurity Survey, 56% of attacks on operational technology and industrial control systems were initiated through direct physical access via a USB stick and other company equipment. USBs can also be used to boot up a computer and bypass login credentials to access unencrypted hard drives.
As a consequence, device control tools have become a crucial component of data protection strategies, allowing organizations to control and prohibit the use of removable storage devices. Our solution, Endpoint Protector DLP software, has an entire module dedicated to Device Control that includes some of the most advanced features on the market for removable media controls.
Let’s take a closer look at how they work!
Limit or block the use of removable media
Seeing the worrisome list of risks that come with them, many companies might be tempted to block the use of USBs and removable devices altogether. This can easily be done through Endpoint Protector’s Device Control module, which can block the use of USB and peripheral ports as well as Bluetooth connections, ensuring no device can connect to a work computer.
In many cases, however, by eliminating the use of removable devices, companies can hinder employees in their day-to-day tasks and force them to seek alternative file transfer solutions online. This can bring an entirely new category of data security risks into play. And while these can be addressed through other DLP features such as Endpoint Protector’s Content Aware Protection module, businesses can also choose to restrict the use of removable devices rather than block their use entirely.
Through Endpoint Protector’s Device Control module, companies can assign different levels of trust to devices based on their level of encryption. In this way, only removable media devices with a high level of security are allowed to connect to endpoints.
The policies organizations can apply to portable storage devices through Endpoint Protector are not limited to devices’ level of security or global settings for all company computers. Different rules can be created for particular groups, users, or computers.
In this way, companies can choose to enforce stricter security controls for employees that work with sensitive data regularly while allowing the rest of their workforce a greater degree of liberty. Alternatively, they can choose to apply a company-wide block of removable devices but make exceptions for particular individuals or departments that need them to perform their daily tasks. There is also a read-only setting that permits users to read files on removable devices but blocks data transfers to and from them.
Stricter policies out of the office
With the rise of bring-your-own-device (BYOD) policies and remote work during and in the wake of the COVID-19 pandemic, organizations have increasingly allowed work laptops to be taken out of the security of the company networks. Endpoint Protector, just as its name suggests, is a DLP solution applied at a computer rather than network level, which means its security policies will continue to be active whether a work device is in an office environment or at home.
Companies can go one step further to ensure the security of sensitive information outside of the office: they can enforce stricter removable media policies outside office hours, the company network, or both. They can define working days and hours as well as a company network’s DNS and ID in Endpoint Protector’s dashboard and then set different rules based on them.
Offline temporary passwords
Emergencies happen, especially when employees might be out of the office: they may need to use removable storage media to quickly transfer or view files for a meeting or client. For just such cases, Endpoint Protector offers administrators the possibility to generate an offline temporary password that, when used, grants temporary unrestricted access to a specific device, computer, or user.
Intuitive cross-platform interface
One of the greatest features of Endpoint Protector is its ease of deployment and use. Requiring no extensive training nor burdensome implementation periods, Endpoint Protector can be up and running in a few hours. Not only that, as a cross-platform solution, it offers feature parity for Windows, macOS, and Linux, ensuring the same device control policies are applied to work computers regardless of the OS they are running on.
Explore More on Device Control
Interested in diving deeper into the world of Device Control? Check out these hand-picked resources to expand your knowledge:
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.