Many internal departments such as Finance organizations create a lot of large files. It is not uncommon for Finance practitioners to create excel files that are 5, 10 or 20 megabytes. I currently have more than 30 files on my PC greater than 20MBs. Corporate email systems often restrict the ability to send large files using their email servers to better control bandwidth utilization. As a result, finance organizations routinely use USBs to share large files between one another.
Few companies I know have outright banned the use of USB drives by disabling the USB port on company issued computers, and some of those who did later had to reverse their policy because users revolted saying they cannot get their jobs done without them.
Not having an established policy on the use of USBs, however, could leave your corporation at risk for a cyber security breach.
In November 2008, the Department of Defense’s (DOD) U.S. Strategic Command experienced the spread of a USB-based virus intrusion (a variation of the Silly FDC worm) which it found to be spreading throughout military networks by copying itself from one removable drive to another. They banned the use of USBs for 15 months. The ban covered all forms of USB flash media, external hard drives, SD memory cards, as well other types of removal removable media. However, the ban only lasted 15 months because it made life impossible for many DOD personnel to perform their jobs. (DOD Lifts USB Drive Ban). As the CIO of the Navy Robert Carey explained in 20091:
“Such media provide a simple, inexpensive, reusable and ubiquitous means for transferring information between computers and servers on both public and private networks. USB flash media are often used for deploying operating system patches, antivirus updates, and other large data transfers in bandwidth constrained environments, such as aboard ships and in deployed areas”
After a thorough investigation Carey found:
“Although policy and processes were in place to facilitate the safe use of USB flash media, they were not being followed. Unfortunately, it was our bad IT hygiene that resulted in the ban of this all too flexible use of storage media.”
What is your company's policy regarding USBs? Does your company have a USB policy? If it does, is the policy enforced? How is it enforced? Are employees well-trained on the proper control and use of USBs?
Below are suggested best practices that can be used to establish a corporate-wide policy on the usage of USBs.
Enterprise USB Best Practices
1. Establish a company policy that describes the required controls and permitted uses of USBs
- Discuss and debate what your USB policy should be and determine how you will safely deal with this capability going forward.
2. Train employees in the proper use of USBs
- So many virus incursions can be avoided if employees are well-trained in the proper care and use of USBs. Create required web training on the company policy and use of USBs. Require all employees take the training that includes a meaningful exam at the end.
3. Deploy USBs with advanced capabilities like:
- Consider deploying encrypted USBs and software to automatically encrypt USBs upon insertion into PCs
- Deploy a software utility that rejects the use of non-authorized USBs (if applicable)
- Deploy USBs that include virus scanning protection in them
- Require a USB utility that requires password protection to be used
- Deploy remote wipe technology on USBs so IT organizations can remotely wipe or lock lost or stolen USBs and change forgotten passwords
4. Enforce your USB policy
- Publish and post your USB policy and be prepared to enforce it. The threat to your systems is too great not to vigorously enforce your USB policy.
- USB policies should be found in employee orientation training sessions, posted on bulletin boards and corporate intranet sites.
- Many companies require employees to sign their USB policy. This way, employees acknowledge that they have read and understood it.
What is your company’s policy on the use of USBs? Tell us in the comments section below.