Protect Your Data from USB Threats

Slide Show

The State of USB Drive Insecurity

Insecure USB drives have created a significant risk for lost data as well as the spread of malware.

IT departments have known about the risks posed by USB drives for years now.


But, as our Mike Vizard reports, a recent survey shows that IT still exerts very little control over removable storage, even though it poses a world of security risks. Thumb drives tend to go missing, and if they contain unencrypted data, you have a breach on your hands. And an unscanned thumb drive is a main suspect in the recent spread of malware to the Iranian nuclear facility.


Our partners at Info~Tech Research Group have developed a six-page Removable Media Acceptable Use Policy that applies to a wide range of USB-connected devices, from thumb drives to digital cameras to MP3 players. Ultimately, all of these devices are hard drives that can connect to your local systems and network. The policy, which also extends to DVDs and CDs, is available for free download to IT Business Edge members here in the IT Downloads library.


The stated primary goal of the policy - which applies to any employee using removable media, regardless of business unit - is to prevent corporate data loss via removable storage. However, it also covers the full range of threats presented by removable storage, which you can see laid out in the following table from the policy document.



Some key tenants of the policy include:


  • All USB-related hardware and related software must be registered with IT. This is perhaps the most critical aspect of the policy, given that, as we said earlier, many IT shops have no idea about what devices are connecting to their systems. The policy also empowers IT to develop a list of approved removable devices.
  • IT has the prerogative to require users with removable storage devices to employ a personal firewall or other security measures. Anyone who does not meet these requirements can be locked off the network.
  • Any removable media that leaves the physical office will be subject to quarantine before being allowed to access. Of course, this would apply to any USB stick attached to a employee's keychain. Fortunately, many anti-virus packages can be set to force a full scan (aka, quarantine) of a USB drive every time it is connected to the network.
  • Users must reset their password after any business trip where company data is passed around via USB devices.
  • IT reserves the right to just outright ban USB devices use, in case of an emergency.

The policy goes on to describe IT's authorities to run audits as it sees fit to respond to threats from USB-connected devices. These terms include requiring employees to submit their personal hardware to the audit, assuming it has been approved for connection to the network.


Another key issue in protecting corporate data from simply being misplaced on a portable drive is encryption. There are several tools on the market for this, including flash drives where the process is built in. Business-class versions of Windows 7 include Bitlocker to Go, which can be configured by group policy to run against any device, including removable drives. Of course, if your company is deeply concerned about vital information getting outside the company walls, you should consider investing in a data loss prevention (DLP) system.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.