USB devices provide a quick, easy and efficient way to transport data. For several years this has been the go-to method for many people however there are some severe Cyber Security concerns surrounding the usage of USB devices, particularly storage devices. Some of the more common security concerns include; losing the device thus losing control of the data on the device and transferring malicious code such as viruses from device to device.

Losing a USB storage device can result in serious repercussions, particularly if the device contains confidential information. The loss of confidential information can result in a hefty financial cost for the company as well as the damage reputation and embarrassment, not to mention the implications for the person who’s confidential data was lost. On top of all this it’s not uncommon for people to only store the data on the USB device and have no backups. Imagine that, not only does the company incur a large fine for the loss of confidential data but the company no longer even has a record of the data. Sure, there are encrypted USB devices but the vast majority of USB devices used do not have encryption and this also will not help if the only copy of the data was stored on the lost device.

Regularly, people download files from the internet such as music and store these files on their USB device. Not only is the music normally sourced in an illegal manner but it’s often packaged with malicious code before being distributed. This means that these devices which are storing work data can also be storing viruses, when the staff member innocently plugs their USB device into their work computer they could be potentially bringing a virus onto their work network. It is hoped that the company antivirus system will handle the virus preventing it from causing any damage, but why take the risk in the first place?

So what should companies do protect themselves? Well, there are a couple of mitigation processes the company should implement. First and foremost, user awareness is always a great way to help combat Cyber Security threats. The company should educate their staff on the risks of storing work data on a USB storage device.

A port blocking/device control application should be installed on all end-user devices within the company. This should be configured to completely block all USB devices that have not been specifically authorised. Configuring the application to make all USB devices read-only would still allow a virus to be transferred from the USB device to the computer. It will also not prevent staff members creating confidential documents at home, saving them to the USB to bring into work (as read-only would still allow the data to be copied from the USB device to the work computer) and losing the device during their journey. This is why it is encouraged to completely block all unauthorised USB devices.

Okay, great. So now staff can’t do work at home and bring it in to the office, not very productive! Well the topic of staff working from home securely is an entirely separate article and one I do plan to add to this website. For now let’s just look at how staff can still do work at home but also access it in the office.

Cloud storage! There are many cloud storage solutions available, Microsoft OneDrive, Google Drive and Apple iCloud are just a few in a very long list. Which solution is best for the company depends on the company’s requirement but using cloud storage would eliminate the possibility of losing a USB storage device. Cloud Storage is also virus scanned by the vendor so it should eliminate or at the very least mitigate bringing viruses onto the corporate network through other files stored in the same location as the work data.

Another solution to allow staff to continue working remotely is to implement a VPN. I will not go into detail on this as it will be veering off topic and would be better suited to the article on securely working remotely.

You find a USB storage device on your work premises but you don’t know who it belongs to, what do you do? Did plugging this device into your computer to see if there was any work on it that would give away the identity of the owner so you could return it come into your mind? Well, that’s exactly another reason why it is important to enable device control on the company computers. Not only can that USB device be hosting viruses but it can also have been planted by somebody with malicious intentions just hoping a staff member would plug the device into their computer.

A hacker could load malicious content onto a USB such as keyloggers or Remote Access Trojans that will provide the hacker with any passwords you enter on your work machine as well as provide them with remote control of your computer. Device control configured to read-only would still be exploited in this situation, which is another reason to support configuring device control to completely block devices. Of course, your antivirus software should hopefully prevent you being exploited in this way and there are a few very good antivirus companies out there but none can be 100% effective.