USB storage devices are as common now as the mouse and keyboard. Portable devices have increasingly become a staple of the corporate environment, whether an organisation provides them for workers or not. With one in three people now working from home due to the Coronavirus pandemic, it’s not uncommon for employees to need to connect their own devices to the network and almost half of these have no security in place to handle these devices.
This suggests that many organisations have yet to come to grips with the security of employee-owned mobile devices used on their network. In 2018, a survey conducted by Applied Research – West on behalf of SanDisk found that 77% of corporate users say they’ve used a personal USB memory device for work purposes. And that’s not counting the use of other devices such as iPods, cameras and smartphones that workers commonly plug into their workstations for personal use as well. And what’s more, most users don’t understand the risks they take when they use these devices on the corporate infrastructure. For example, one in 10 workers surveyed by Applied Research re-ported having found flash drives in public places. Of those, more than half admitted that one of the first things they would do would be to plug in the foreign device to find out what was on it — a risky proposition given the amount of malware that can be downloaded upon connection with an endpoint.
While many IT managers do recognise what kind of problems such end user ignorance can promote, the typical knee-jerk reaction to enact an outright ban of USB devices and other portable media is hardly the right path to follow.
Instead of enacting ineffective and productivity-squashing bans that address the medium itself, organisations should think about how to protect the valuable information contained on the USB and the corporate assets it connects to. “Better, how about a control that enforces a policy like ‘don’t allow sensitive data to be copied to a USB drive unless the data (or the drive itself) is encrypted.’” Simply put, the ease of use, the prevalence of the format and the inherent insecurity of USB make it a dream for most crooks and mischief makers. To figure out a way to take advantage of portable devices without risking too much in the process, it is important to first thoroughly understand the threats that will need to be addressed.
By far the most common way a typical employee will expose his or her organisation to risk through USB use is simply by misplacing a device containing sensitive data. It is all-too-easy to accidentally leave behind a portable device on public, unsecured computers, be they at hotels, libraries or airport business centres. It happens all the time and is simply human error. Her Majesty’s Revenue and Customs (HMRC) reported 375 devices lost or stolen between July 2019 and June 2020, including 218 mobile devices, 132 Microsoft Surface Pro tablets, 12 laptop computers and 13 USB memory sticks. Alarmingly, of those 13 USB devices, only 5 were encrypted.
Not only could this pose a danger to mission-critical intellectual property, but if the lost information is classified as regulated data such as customer information, the organisation will also be burdened with engaging in the disclosure process.
The unchecked use of portable devices within an organisation can also open it up to the risk of massive data theft through storage that only keeps growing in capacity. That voluminous capacity alone can make these devices a prime virtual burglar’s bag to run away with the company jewels.
Unfortunately, the practice of theft via portable devices may be more rampant than most think.
And when paired with certain sinister software tools, these devices can be used to even more devastating effects. What types of sensitive or proprietary information are insiders taking with them when they leave the organisation?
The traditional capabilities of an “endpoint” are clearly evolving. For millions of employees, portable storage devices / media represent the natural extension of their endpoints. Because of this evolution, enterprise endpoint security must also grow to address the increasing concerns. Ultimately, this shifting corporate endpoint exposes a new threat vector that IT professionals must confront and secure. So, what can you do to reap the productivity gains without the risk?
As a Gartner analyst previously stated, workers today expect – in fact, need – to be able to access to information from anywhere, at any time, and from any device. It is, quite simply, a necessity in today’s competitive world – and so it’s time to embrace this new reality, but in a security-conscious manner. Especially now that the majority of people are working from home and will be in the future, it is important for people to be able to access company data from any location.
Encrypt Devices to Prevent Improper Data Disclosure:
By encrypting removable devices (like USB flash drives) and media (like CDs / DVDs), you can ensure that it can be safely used and transported without the fear of exposing confidential data to unauthorised users.
Enforce Device Usage Policies to Prevent Misuse:
By enforcing usage policies for removable devices (such as USB flash drives) and other removable media (such as CDs and DVDs), you can control the flow of data to and from your endpoints.
Devices that are not authorised are simply not allowed to execute.
Through a central console, device control policies are quickly established and enforced through two simple steps: identification and assignment. Policies are managed per user or user group as well as per computer, and user groups are immediately associated with devices on the y— dramatically simplifying the management of endpoint device resources.
Prevent Introduction of Malware via Removable Devices:
By validating removable devices as they are used within the enterprise, you can prevent malware from being introduced onto the network. This includes assigning permissions for authorised removable devices (such as USB sticks) and media (such as DVDs and CDs) to individual users or user groups and controlling the downloading of unknown or unwanted ‑les from removable devices.
Full Disk Encryption
It’s not just removable storage devices and media that need encryption. Surveys indicate that 86% of organisations have had a laptop lost or stolen, and 56% of these have resulted in a data breach. And an astonishing 58% of these laptop losses happened at work. The sensitive information stored on these laptops can be misused in an instant, unless you have complete control over how data is stored – and whether it is encrypted.