The cybersecurity landscape is littered with stories of hackers who have used social engineering phishing techniques as a way to attack organizations, either by manipulating individuals to reveal confidential information or by tricking employees to click on email links and attachments, which can be the trigger for a malware or ransomware event.

Our social engineering vulnerability doesn’t stop there, however. Hackers also know that most people who find something of value will either 1) try to discover the rightful owner or, 2) keep the item for their own use. In the case of removable media – a USB flash drive, external hard drive, or SD card, for example – either decision can have a catastrophic consequence.

Is This Really a Threat?

While we don’t read about physical cyberattacks that originated from found USB devices as often as remote, cloud-based attacks, they do occur – and when they do, the damage to the organization always seems to be vast. Just consider these four high-profile attacks.

  • In 2020, Trustwave reported that a U.S. hospitality provider was the target of a USB flash drive attack, which occurred after the company received a fake Best Buy gift card in the mail, along with a USB flash drive. The accompanying letter instructed the company that a list of items the gift card could be used for could be accessed on the thumb drive.
  • Security company Kaspersky say crooks secretly planted USB devices on computers at big European banks in 2017 and 2018, causing millions of dollars in damages.
  • Attackers famously used a USB drive to do damage at Iran’s Natanz nuclear plant and beyond with the Stuxnet attack, first identified in 2010.
  • In 2008, an infected flash drive was plugged into a US military laptop in the Middle East and established “a digital beachhead” for a foreign intelligence agency. The malicious code on the drive spread undetected on both classified and unclassified systems enabling data to be transferred to servers under foreign control.

But We’re Smarter Than This, Right?

Certainly, we’ve all been told to plug into our computers only trusted removable media, yet research shows that it is human nature to do otherwise.

For instance, in 2016, researchers at the University of Illinois spread 297 USB flash drives across campus to see what would happen. Almost half of the devices (48%) ended up in the USB port of someone else’s computer.

In 2011, the U.S. Department of Homeland Security randomly dropped USB and optical drives in government and private contractor parking lots. More than half of those who picked one up readily plugged it into their work computer. Bloomberg News reported that 60% of those workers and contractors who picked up the drives plugged them into office computers. The report also said that 90% of found drives stamped with official government logos were plugged in.

How to Protect Yourself

When it comes to cybersecurity best practices, removable media and devices must only be plugged or inserted into your computer if you know and trust the source. That USB flash drive you found in your building’s lobby? There’s a chance it wasn’t dropped there by accident but planted there instead.

That said, as noted earlier, it is human nature to violate this very basic rule, and hackers bank that you – or one of your employees – will be their next victim. So, to reduce the chance that a rogue flash drive or external hard drive will bring your organization to its knees, it is a good idea to install physical port locks on all computer and network ports throughout the company. These nifty little devices cost as little as a couple bucks each but have been proven to effectively protect networks from malicious removable media – no matter how altruistic your employees’ intentions might be.