USB storage devices have long been a plague to companies’ data security. Since 2008 when a malware-infected USB flash drive caused the worst breach of US military computers in history, organizations have become more aware of the dangers USBs pose, but data security strategies rarely deal effectively with them.
The reasons for it are fairly simple: USB drives tend to leave the confines of company networks where security policies are at their strongest. USBs are small and, therefore, easy to lose, forget, and steal. Employees can connect personal USBs or flash drives of dubious origin to their work computers. Third parties can plug in infected USBs in a moment of carelessness from an employee traveling for business.
While a data breach by itself can be disastrous for any company’s reputation and bottom line, in the age of the GDPR, data protection legislation makes the consequences even more severe. When a careless employee lost a USB with over 1,000 confidential files, including highly sensitive security and personal information, Heathrow Airport was fined £120,000 by the UK Information Commissioner’s Office.
With the risks so high, some sectors have chosen to ban USBs altogether, but there is no denying their usefulness on the go where they are often used to copy presentations, important documents needed for meetings or off-site printing. So how can companies continue to use USBs, but ensure they are protected against the biggest risks that come with them? Let’s have a look!
A popular social engineering technique to infect computers relies on individuals’ curiosity or desire to help others. If someone finds a USB in a public place, he or she may want to return it to its owner or would be curious to see what is on it. A seemingly harmless lost USB can be riddled with malware, infect a computer (Macs included!), and, if it is a work laptop, once it returns to the office, it can go on to infect the whole network.
It is, therefore, essential that employees understand the risks of unknown devices and are discouraged from connecting suspicious USBs to their computers, whether at home or while working. Poor security practices at home can lead to unknowingly infected personal USBs connecting to the company network. A well-informed workforce is more aware of the risks USBs pose and are better equipped to react if they are faced with a suspicious device.
Limiting the Use of USBs
Some companies choose to limit the use of USBs. This can be done through specialized software that allows organizations to control and block a computer’s USB and peripheral ports and monitor, lockdown, and manage devices that connect to endpoints. In this way, companies can ensure that only trusted devices can connect to a computer. Trusted devices can be USBs issued by the organization or reliable vendors or only secure devices such as those using encryption.
These policies, if applied on the endpoint, will also work remotely, ensuring that computers are protected when outside the safety of the company network.
Encryption for USBs
When it comes to company-issued USB storage devices, organizations should consider encryption as an easy way to protect any information saved on them. In this way, even if USBs are lost, forgotten, or stolen, the information on them cannot be accessed by outsiders without a password, eliminating the risk of a data breach and the hefty fines that come with it.
Some tools, like Endpoint Protector’s Enforced Encryption solution, can be deployed automatically by admins to all trusted USB storage devices when they are connected to a network computer. Once it’s installed, any data copied onto the USBs will be encrypted with government-approved 256bit AES CBC-mode encryption.
Other features include the possibility to reset passwords remotely in case they were compromised, limiting the number of times someone can insert a password as well as expiry dates for them.
USB storage devices are a frequent and highly dangerous blind spot in data security practices. Companies must develop data protection strategies that also address their vulnerabilities as devices through which data transfers occur, but also their increasingly common role in cyberattacks. By, among others, using a system of trusted devices and applying encryption to files transferred onto USB storage devices, organizations can effectively mitigate the risks that come with their use.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.