Universal Serial Bus (USB) drives. Those little storage devices that we all have used at one time or another represent a security threat, and your organization is at risk if you are not doing something about it. How IT managers recognize and manage this threat makes a great difference if the threat is realized.

Do you remember a 2010 IBM security conference in Australia when they gave out Do USBs Pose A Security Threat To Your Organization-1.jpgmalware infected USB drives to attendees? (IBM Distributes USB Malware at Security Conference)

It happened again in April 2017, when they unintentionally shipped virus infected USBs for their IBM Storwize products. (IBM Ships Malware on-USB Flash Drives)

USBs Get Lost

How many of you have bought a cheap USB drive from your local office supply store and used that drive at work to easily store or share large files with colleagues? What happens if that drive gets lost somewhere? Let me assure you that USBs get lost all the time. According to research conducted in the UK, more than 22,000 USB drives are left in owners’ pockets at their local dry cleaners and only about half of them are ever returned. (22000 USB Sticks Go to the Dry Cleaners)

In 2015, a Bank of Barclay employee lost a USB drive containing sensitive data on 13,000 customers. The UK’s Ministry of Defense reported that more than 100 USB drives containing restricted or secret data had been lost over a four-year period. (Barclays to Compensate Customers for Losing USB Stick Containing Personal Data)

USBs Get Stolen

In 2016 at an Indiana hospital, an unencrypted USB drive that stored data on more than 29,000 patients went missing. (IU Health Arnett Reports Missing Patient Info)

At a Puerto Rico insurance company, a USB drive was stolen that contained personal data for more than 2,200 people, including their names, dates of birth, and social security numbers. The theft was considered a violation of HIPAA compliance, and the company was fined $2.2 million. (HIPAA Violations - Stolen USB Drive Costs Insurer 2.2 Million)

USB Used For Revenge

Well-known examples about employees with perverse motives taking sensitive company information for revenge are all over the news today. In 2015, a disgruntled employee at the FDIC used a USB drive to steal bank account and social security numbers from 30,000 people. (Report: FDIC Employees Caused Repeated Security Breaches)

Similarly, in 2016 a CalOptima employee who was leaving the company stole names and social security numbers of 56,000 patients via an unencrypted USB drive. (Potential CalOptima PHI Data Breach Affects 56K Members) 

Curious George

Like Curious George who was lured into a trap by the man with the yellow hat, people who find USBs want to see what’s on them. A comprehensive study at the University of Illinois showed that 48% of people who find USB drives plug them in and click on at least one file. If the USB drive has a virus on it the results can be disastrous. The study, published in May 2016 at the 37th IEEE Security and Privacy Symposium said the first found drive was viewed in less than six minutes and half of the drives were connected within seven hours.

So yes, if there is a USB drive at your company, then USB drives pose a security threat.

What can you do about it?

As I mentioned in a previous blog, Have a Cybersecurity USB Policy? If Not, You Should here are several best practices companies should follow with regard to the use of USBs:

Enterprise USB Best Practices

1. Establish a company policy that describes the required controls and permitted uses of USBs.

  • Discuss and debate what your USB policy should be and determine how you will safely deal with this capability going forward.

2. Train employees in the proper use of USBs.

  • So many virus incursions can be avoided if employees are well-trained in the proper care and use of USBs. Create required web training on the company policy and use of USBs. Require all employees take the training that includes a meaningful exam at the end.

3. Deploy USBs with advanced capabilities like:

  • Consider deploying encrypted USBs and software to automatically encrypt USBs upon insertion into PCs
  • Deploy a software utility that rejects the use of non-authorized USBs (if applicable)
  • Deploy USBs that include virus scanning protection in them
  • Require a USB utility that requires password protection to be used
  • Deploy remote wipe technology on USBs so IT organizations can remotely wipe or lock lost or stolen USBs and change forgotten passwords

4. Enforce your USB policy

  • Publish and post your USB policy and be prepared to enforce it. The threat to your systems is too great not to vigorously enforce your USB policy.
  • USB policies are found in employee orientation training sessions, posted on bulletin boards and corporate intranet sites.
  • Many companies require employees to sign their USB policy. This way, employees acknowledge that they have read and understood it.