Many companies permit using USB drives to store and transfer huge amounts of sensitive data. According to a recent market report, researchers forecast that the USB flash drive market will register an approximated 7.1% compounded annual growth rate in 2022. However, USB drives pose a serious security threat to an organization. A 2022 report revealed that removable media caused 9% of all cybersecurity incidents.
Some of the security risks introduced by the use of USB drives include:
Business policies for using USB drives are crucial since they define the acceptable procedures, restrictions, and standards for users and employees with legitimate business requirements warranting the need to connect USB devices and related removable media to the organization’s corporate networks and systems. Also, due to the increased use of personal USB devices due to accelerated remote working programs, USB drives use policies stipulate access and security controls governing the use of USB devices.
In this regard, the business policies described in this document apply to all devices and related media that fall in any of the following categories:
All employees that use USB-related devices or software to store, back up, or transfer data within the organization should leverage secure processes for managing data. These include using strong passwords to protect data and an acceptable encryption mechanism. The employees must also ensure not to reveal the passwords to anyone, including family members, to protect against unauthorized access.
In addition, the organizational IT department must pre-approve the use of USB devices for any business interests. Pre-authorized USB drives should ensure that they satisfy specific security measures for protecting enterprise data. These security measures include but are not limited to physical security, encryption, and strong passwords. Furthermore, the organization should ensure that non-work-issued computers connected to corporate USB devices have strong antivirus solutions containing the latest antivirus signature files.
All USB drives must also be subject to quarantine after returning to the office before they can be used on any enterprise infrastructure. In addition, the IT department should quarantine all removable media used outside the organization to prevent potential malware contaminations from spreading to other networks and systems.
Lastly, USB0-based memory sticks used to store or transmit sensitive corporate data must conform to the organization’s authentication requirements; and end-users must create new passwords every time they use USB devices for business reasons. The passwords should not be stored on the storage devices to prevent instances of compromise. Additionally, to complement the authentication security of the USB devices, the organization’s IT department must pre-approve the hardware security configurations, either company-owned or personal, before USB drives carrying corporate data can be connected.
Well-defined security protocols are critical to safeguarding USB drives. Firstly, the organization’s IT department must establish and initiate audit trails in incidents involving security hiccups. The audit trails should include sufficient processes for tracking all computers connected to the USB drive.
Therefore, all end-users must accept that the organization may monitor their access or connection to the organization’s network to record the times, dates, access duration, and amount of transferred files (from the network to the USB device and vice versa) to facilitate audit trails. Performing audit trails is essential to identifying suspicious behaviors, such as connections during odd hours and unusual usage patterns like copying large amounts of data. In addition, monitoring the use and connection of USB drives will help the company identify accounts or computers that have potentially been compromised.
In addition, all employees and end-users must agree to notify the IT department immediately if any incidents may involve USB drive security. The users must report cases where unauthorized people gain access to USB data, data loss through misplaced USBs or other ways, the connection of unauthorized drives to company networks, and disclosure of databases or company resources stored in the USB devices. Reporting permits early investigations and mitigations to cushion the impacts of possible data loss or cyber-attacks.
Employees, third parties, temporary staff, and contractors should not modify company-issued systems and the associated software or hardware installments. Only the organization’s IT department should grant the express approval of such modifications when necessary. This policy includes modifying or reconfiguring USB ports, which may alter the already configured USB port security measures.
Moreover, the IT department may choose to restrict the universal plug-and-play feature of USB drives on client computers deemed to be highly sensitive. Instead, the IT personnel may create read and write permissions for specific users with enough privileges to view or transfer the sensitive data to a USB device. Additionally, the IT staff has the prerogative to disable the plug-and-play feature on computers used by employees for specific roles to prevent unauthorized access or leakage of highly confidential corporate data.
The organization’s IT department further reserves the right to completely ban the use of USB devices on all business-related systems and computers without providing a reason. Protecting confidential information from breaches, leakages, and loss should be the only and highest priority. Thus, the IT support staff may disable USB ports to restrict virtual or physical access to protect company data. In extension, the IT personnel may enforce policies and other necessary measures to prevent end-users from transferring data from specific system or network resources to USB devices.
All employees must register all USB devices and related hardware and software with the IT team before their initial use on the company computer or network infrastructure. Registering all USB drives within the organization helps create a list of the devices permitted to access the company data and corporate infrastructure. If employees find their USB drive is not among those listed as having access privileges, they should contact IT for approval after the relevant security screenings and checks.
Furthermore, the organization must ensure that users that want to connect USB drives to non-corporate network infrastructure to access and transmit company data remotely must implement company-approved firewalls or other security controls deemed necessary. Remote access of corporate data and secure data transmission should also be done via VPNs to prevent hackers or the network provider from accessing the data or accessing and modifying contents stored in the USB drive. More importantly, users are not to connect USB devices and access corporate data on hardware or software that doesn’t conform to the organization’s established IT and information security standards.
Also, the organization should maintain an updated list of USB drives approved to connect to, access, and store sensitive company data. Users should be prohibited from connecting USB drives not on the list to protect against potential security threats. If a user violates this policy, the IT department reserves the right to restrict or refuse users to connect unlisted USB drives and related removable media to corporate infrastructure. The organization should also engage in such an action if it feels that allowing the USB drives to be connected puts its data, users, customers, and systems at risk.