Today, civilization itself has become utterly dependent on the rapid collection, analysis, and sharing of data. Our human interaction with that data seeks to turn it into useful information – with mixed results – yet such basic elements of society as power, water, and transportation now perch precariously on the fulcrum of effective network security protection. Sensing this critical dependence, industries and governments spent $124 billion in 2019 on cybersecurity.
And yet, for the vast majority of systems and installations, the physical points of access to our vital information and data networks remain unguarded. It’s hard to believe when you step back and consider it, but, in fact, the sector of the cybersecurity protection perimeter that should be the most obvious – the visible, physical sector – is the one that is left completely unguarded in most cases, like leaving the front door wide open. Of all the paradox that came with the digital revolution, this might be the most puzzling. How could the most obvious access to vital data and information systems – often accessed by USB flash drives – be the avenue that’s overlooked?
The visible data ports and connections might be overlooked for computer system security, but they certainly have not been overlooked by saboteurs and others intent on inflicting damage. Some of the most consequential examples of cyber-espionage and cyber-sabotage were inflicted by innocent-looking flash drives scattered – like bait – in parking lots and plugged into sensitive data systems by surprisingly naïve persons who simply wanted a free device for storing and transferring data.
The Threat Can Be Casual as well as Hostile
Even more widespread are the daily breaches in which authorized personnel thoughtlessly charge or sync their personal mobile device through a USB port at work. The people who inflict this untold damage are not by any means ignorant or unqualified. In fact, research has shown that this behavior occurs in even the best-trained, most thoroughly indoctrinated personnel, including authorized operatives at sensitive, high-security agencies.
It’s not just the idea of USB flash drives infecting computers and networks that is cause for alarm, there is also the risk that associates will download sensitive data to those flash drives and then carelessly lose the devices – opening the door for unintentional data breaches. In fact, such a data breach has already occurred, and, in 2017, it cost London’s Heathrow Airport $155,000 in fines.
In that situation, a USB memory stick was lost by a Heathrow employee and found by a member of the public, who viewed its contents on a library computer. None of the data stored on the device was encrypted or password protected. The individual then passed the device to the Sunday Mirror, a national newspaper. The newspaper made copies of the information and then returned the device to Heathrow.
Because of the inherent risks with USB flash drives, IBM banned them entirely in 2018. Rather than risk an unsuspecting employee from infecting IBM’s network with a flash-drive-carried virus – or losing sensitive data the way a Heathrow employee did – the company simply said, “no more.”
Those two words – “no more” – are also what we should be saying to USB ports in general. Until that day, you should lock down your USB ports using port locks or risk being the next Heathrow-type headline that appears in the news.