Many companies permit using USB drives to store and transfer huge amounts of sensitive data. According to a recent market report, researchers forecast that the USB flash drive market will register an approximated 7.1% compounded annual growth rate in 2022. However, USB drives pose a serious security threat to an organization. A 2022 report revealed that removable media caused 9% of all cybersecurity incidents.
Some of the security risks introduced by the use of USB drives include:
- Misplaced USB Sticks – Misplaced USB drives are a leading security risk plaguing most organizations. Lost drives that lack password protection or encryption can cause significant data breaches if they fall into the wrong hands.
- Malware-infected flash drives – A 2016 study investigated what employees would do if they came across a USB drive in the parking lot. Shockingly, almost 50% said they would plug it into their computers. Unfortunately, the same human curiosity is likely still high in 2022. With more people working from home, an employee will likely connect to the organizational network with a malware-laden USB drive.
- Unauthorized data copying transfer – An insider threat can easily connect to a work computer or cloud storage and copy sensitive data without authorization. A business lacking robust access control policies and mechanisms is more vulnerable to this threat.
- Lack of change management policies – Suppose an employee takes a job at a rival organization. The employee may leave with valuable company data intentionally or accidentally due to a lack of change management policies. As a result, the rival organization may use this data to gain an unfair competitive advantage.
Importance of USB Drive Acceptable Use Policies
Business policies for using USB drives are crucial since they define the acceptable procedures, restrictions, and standards for users and employees with legitimate business requirements warranting the need to connect USB devices and related removable media to the organization’s corporate networks and systems. Also, due to the increased use of personal USB devices due to accelerated remote working programs, USB drives use policies stipulate access and security controls governing the use of USB devices.
In this regard, the business policies described in this document apply to all devices and related media that fall in any of the following categories:
- Portable USB memory sticks that store or transmits data, including key drives, jump drives, thumb drives, and flash drives.
- USB card readers through which users can connect to company infrastructure and transfer data.
- SD memory cards, memory sticks, CompactFlash, and other flash-based storage media that organizations can use to access and store data.
- Removable memory-based media, such as CDs, floppy disks, and rewritable DVDs, used to copy data from corporate infrastructure.
- Hard drive-based memory, smartphones with internal flash memory, cell phone handsets, and PDA.
- Any hardware or software that permits USB connectivity through wired or wireless networks.
- USB Drive Security Policy
All employees that use USB-related devices or software to store, back up, or transfer data within the organization should leverage secure processes for managing data. These include using strong passwords to protect data and an acceptable encryption mechanism. The employees must also ensure not to reveal the passwords to anyone, including family members, to protect against unauthorized access.
In addition, the organizational IT department must pre-approve the use of USB devices for any business interests. Pre-authorized USB drives should ensure that they satisfy specific security measures for protecting enterprise data. These security measures include but are not limited to physical security, encryption, and strong passwords. Furthermore, the organization should ensure that non-work-issued computers connected to corporate USB devices have strong antivirus solutions containing the latest antivirus signature files.
All USB drives must also be subject to quarantine after returning to the office before they can be used on any enterprise infrastructure. In addition, the IT department should quarantine all removable media used outside the organization to prevent potential malware contaminations from spreading to other networks and systems.
Lastly, USB0-based memory sticks used to store or transmit sensitive corporate data must conform to the organization’s authentication requirements; and end-users must create new passwords every time they use USB devices for business reasons. The passwords should not be stored on the storage devices to prevent instances of compromise. Additionally, to complement the authentication security of the USB devices, the organization’s IT department must pre-approve the hardware security configurations, either company-owned or personal, before USB drives carrying corporate data can be connected.
Organizational Protocols on USB Device Security
Well-defined security protocols are critical to safeguarding USB drives. Firstly, the organization’s IT department must establish and initiate audit trails in incidents involving security hiccups. The audit trails should include sufficient processes for tracking all computers connected to the USB drive.
Therefore, all end-users must accept that the organization may monitor their access or connection to the organization’s network to record the times, dates, access duration, and amount of transferred files (from the network to the USB device and vice versa) to facilitate audit trails. Performing audit trails is essential to identifying suspicious behaviors, such as connections during odd hours and unusual usage patterns like copying large amounts of data. In addition, monitoring the use and connection of USB drives will help the company identify accounts or computers that have potentially been compromised.
In addition, all employees and end-users must agree to notify the IT department immediately if any incidents may involve USB drive security. The users must report cases where unauthorized people gain access to USB data, data loss through misplaced USBs or other ways, the connection of unauthorized drives to company networks, and disclosure of databases or company resources stored in the USB devices. Reporting permits early investigations and mitigations to cushion the impacts of possible data loss or cyber-attacks.
IT Support on the Use of USB Devices
Employees, third parties, temporary staff, and contractors should not modify company-issued systems and the associated software or hardware installments. Only the organization’s IT department should grant the express approval of such modifications when necessary. This policy includes modifying or reconfiguring USB ports, which may alter the already configured USB port security measures.
Moreover, the IT department may choose to restrict the universal plug-and-play feature of USB drives on client computers deemed to be highly sensitive. Instead, the IT personnel may create read and write permissions for specific users with enough privileges to view or transfer the sensitive data to a USB device. Additionally, the IT staff has the prerogative to disable the plug-and-play feature on computers used by employees for specific roles to prevent unauthorized access or leakage of highly confidential corporate data.
The organization’s IT department further reserves the right to completely ban the use of USB devices on all business-related systems and computers without providing a reason. Protecting confidential information from breaches, leakages, and loss should be the only and highest priority. Thus, the IT support staff may disable USB ports to restrict virtual or physical access to protect company data. In extension, the IT personnel may enforce policies and other necessary measures to prevent end-users from transferring data from specific system or network resources to USB devices.
Access Control Policies Governing the Use of USB Drives
All employees must register all USB devices and related hardware and software with the IT team before their initial use on the company computer or network infrastructure. Registering all USB drives within the organization helps create a list of the devices permitted to access the company data and corporate infrastructure. If employees find their USB drive is not among those listed as having access privileges, they should contact IT for approval after the relevant security screenings and checks.
Furthermore, the organization must ensure that users that want to connect USB drives to non-corporate network infrastructure to access and transmit company data remotely must implement company-approved firewalls or other security controls deemed necessary. Remote access of corporate data and secure data transmission should also be done via VPNs to prevent hackers or the network provider from accessing the data or accessing and modifying contents stored in the USB drive. More importantly, users are not to connect USB devices and access corporate data on hardware or software that doesn’t conform to the organization’s established IT and information security standards.
Also, the organization should maintain an updated list of USB drives approved to connect to, access, and store sensitive company data. Users should be prohibited from connecting USB drives not on the list to protect against potential security threats. If a user violates this policy, the IT department reserves the right to restrict or refuse users to connect unlisted USB drives and related removable media to corporate infrastructure. The organization should also engage in such an action if it feels that allowing the USB drives to be connected puts its data, users, customers, and systems at risk.