USB flash drives come with inherent security risks, yet they are not going away anytime soon. The ease with which flash drives transport data make them a ubiquitous business tool, and many people own at least one USB flash drive, typically used to either transfer data from one device to another or to backup sensitive documents. If your flash drive is only used by you – and has ever only been used by you – and the same can be said of the device you are plugging it into, then you are probable safe.
Where the Risk Comes In
Many of us carry flash drives that were “borrowed” from someone else, found in a desk drawer, or given to us from a business associate, team member, vendor – or anyone else we’ve come in contact with. What’s more, we’re plugging that flash drive into a device that may have had multiple users, runs various cloud-based applications, and has been used to click links whose origins and safety are unknown.
Even if you think you’ve contained any risks associated with your USB flash drive, ask yourself these questions:
- Have you ever lent your USB flash drive to anyone – even for five minutes?
- Have you ever used your flash drive to plug into a remote printer at a print shop?
- Have you ever used your flash drive to run a presentation on someone else’s laptop or projector?
- Have you ever used your flash drive to transfer data to or from someone else’s computer?
If you’re being honest with yourself, the answer is, “yes.” Because you have no idea how the print shop or your colleague manage their devices or their approach to cybersecurity protection, your flash drive – and everything else you’ve plugged that flash drive into – is now exposed to a Petri dish of electronic viruses.
The reality is that if any of those aforementioned devices are infected with malware, it’s highly possible that your USB flash drive is now infected, too. If it is, when you plug that flash drive into your own computer, the malware will likely find a new home there. This is known as cross-contamination, and cyber criminals rely on your seemingly innocent actions to spread their malicious code.
What’s more, if your flash drive is lost or stolen – and that USB flash drive contains sensitive information – you have just initiated a potential data breach, which could cost your organization millions of dollars. It is because of these risks that many companies – including IBM – have banned the use all exportable storage devices for all staff, everywhere.
Still Not Convinced of the Threat?
In the fall of 2017, an unencrypted USB flash drive was found in West London containing sensitive and secret information regarding Heathrow Airport. According to Cyber Defense magazine, “the 76-folder/174-document drive detailed measures employed at Heathrow to protect the Queen, a timetable of security patrols, maps pinpointing CCTV cameras, the types of ID needed to access restricted areas, documentation of the ultrasound system used by Heathrow security to check perimeter fences and runways for breaches; and, a discussion regarding the type of threat the airport could face.”
More recently, in 2019, Canadian banking group Desjardins suffered a data breach that affected some 2.7 million people and around 173,000 companies. The stolen information included names, addresses, dates of birth, social insurance numbers, email addresses, and information on customers’ transaction habits. The source of the breach? An employee with “ill-intention” who downloaded the data to a flash drive.
Lessons Learned
In this new work-from-home era created by a global pandemic, the cybersecurity dangers associated with USB flash drives are growing exponentially, as the very properties that make USB flash drives portable and enable them to connect to various networks also make them vulnerable to network security breaches. All it takes is one unencrypted USB flash drive to launch a massive cyber assault on a company’s data network.
The lesson here is that intentional attacks are far from the only way that sinister viruses and malware come into data ports. In fact, intentional attacks are most likely the minority.
The broader threat is unintentional. A thumb drive that gets used at home and then at work brings with it anything the home computer might have picked up along the way in the form of bugs and bleeps from the Internet. All the more reason to secure your USB and network ports so that portable media devices – USB flash drives in particular – cannot be connected to your ports.
What are Your Options?
USB port locks, network module locks, LAN cable locks, and secure USB hubs for your attached USB devices are inexpensive devices that effectively thwart both malicious and negligent insiders. Taking the first step of banning portable media entirely – to follow IBM and others – is a place to start, but a policy alone doesn’t protect your organization. The second step is to put teeth into your policy by locking your ports so that it is impossible to connect a USB flash drive or other external device.