USB Thumb Drives: Tiny IT Security Terrors

Updated: October 27, 2007



Thumb drives: so small, so convenient and so seemingly innocuous. It's hard to believe that these handy devices pose such a big threat to IT security, but they do. In fact, memory sticks, USB drives, media players and other storage-oriented devices that plug into desktop and notebook computers via a USB port pose a dual-edged menace, enabling users to both surreptitiously copy confidential information from enterprise servers as well as to introduce malware and spyware into networked systems.

The thumb-drive threat isn't theoretical. A survey of IT managers conducted at the Infosecurity conference in London in 2007 revealed that while more than half use thumb drives daily, many still view portable storage devices as a major internal security threat.

The knee-jerk reaction that many business owners and managers have to thumb drives — banning the gadgets from their workplace — usually doesn't do much to alleviate the threat. A survey conducted earlier this year by Boston-based Yankee Group Research Inc. found that employees were confident of their abilities to bring consumer devices like thumb drives into the workplace. Thirty-one percent of workers claimed that they could circumvent the IT department altogether, while just 13 percent of the survey's respondents felt that IT had complete control over their computers.

Still, the situation is far from hopeless. The threat posed by thumb drives can be greatly reduced, if not completely eliminated, by following a strategy that combines planning, technology and communication.



1. Understand the threat . Thumb drives are now cheap and ubiquitous. The devices are sold at Wal-Mart, handed out as advertising premiums and swapped between employees and business partners. A business stands about as much of a chance of eradicating thumb drives as it does of eliminating paper clips. Gluing shut computer USB ports isn't an answer either. Thumb drives are now so widely used that blocking their use risks harming worker morale and productivity. A far better approach is to add thumb drives to the company's security master plan.

2. Formulate a policy. Data-access control is the key to thumb-drive security. At most businesses, employees aren't allowed to remove certain types of files from company premises on disks, paper, portable computers or via the Internet. Thumb drives need to be added to this list of media and technologies.

To keep thumb drives from infecting IT resources with malware, PCs, servers and network devices need to be protected with state-of-the-art security technology. This is nothing new. In fact, the situation isn't much different from several years ago, when employees routinely brought malware-laden floppy disks to work.

3. Employ encryption. Thumb drives are easy to lose. Encryption won't prevent a disgruntled employee from stealing critical information, but the technology will help keep a careless or absentminded worker from accidentally passing data into unfriendly hands. TrueCrypt is a popular open-source tool that can encrypt USB drive data on the fly, and there are numerous solutions that can integrate into existing enterprise security solutions.

4. Educate employees. Many employees aren't aware of the security risks of thumb drives. Business owners and managers can drive the security message home via newsletters, handouts, Web portals, employee handbooks, signs and other media. The company needs to explain the steps that users can take to minimize the threat, and it's important to remind employees that they will be held responsible for data- security lapses if a problem arises. Whenever possible, systems should be created that prompt users with security warnings when they are about to perform a potentially dangerous action with a USB device.


The Bottom Line

The rule of thumb? Recognize the thumb-drive threat and take action.

Related Categories
Featured Research
  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more