USB Thumb Drives: Tiny IT Security Terrors

Updated: September 21, 2015

Issue

 

Thumb drives: so small, so convenient and so seemingly innocuous. It's hard to believe that these handy devices pose such a big threat to IT security, but they do. In fact, memory sticks, USB drives, media players and other storage-oriented devices that plug into desktop and notebook computers via a USB port pose a dual-edged menace, enabling users to both surreptitiously copy confidential information from enterprise servers as well as to introduce malware and spyware into networked systems.

The thumb-drive threat isn't theoretical. A survey of IT managers conducted at the Infosecurity conference in London in 2007 revealed that while more than half use thumb drives daily, many still view portable storage devices as a major internal security threat.

The knee-jerk reaction that many business owners and managers have to thumb drives — banning the gadgets from their workplace — usually doesn't do much to alleviate the threat. A survey conducted earlier this year by Boston-based Yankee Group Research Inc. found that employees were confident of their abilities to bring consumer devices like thumb drives into the workplace. Thirty-one percent of workers claimed that they could circumvent the IT department altogether, while just 13 percent of the survey's respondents felt that IT had complete control over their computers.

Still, the situation is far from hopeless. The threat posed by thumb drives can be greatly reduced, if not completely eliminated, by following a strategy that combines planning, technology and communication.

 

Strategies



1. Understand the threat . Thumb drives are now cheap and ubiquitous. The devices are sold at Wal-Mart, handed out as advertising premiums and swapped between employees and business partners. A business stands about as much of a chance of eradicating thumb drives as it does of eliminating paper clips. Gluing shut computer USB ports isn't an answer either. Thumb drives are now so widely used that blocking their use risks harming worker morale and productivity. A far better approach is to add thumb drives to the company's security master plan.

2. Formulate a policy. Data-access control is the key to thumb-drive security. At most businesses, employees aren't allowed to remove certain types of files from company premises on disks, paper, portable computers or via the Internet. Thumb drives need to be added to this list of media and technologies.

To keep thumb drives from infecting IT resources with malware, PCs, servers and network devices need to be protected with state-of-the-art security technology. This is nothing new. In fact, the situation isn't much different from several years ago, when employees routinely brought malware-laden floppy disks to work.

3. Employ encryption. Thumb drives are easy to lose. Encryption won't prevent a disgruntled employee from stealing critical information, but the technology will help keep a careless or absentminded worker from accidentally passing data into unfriendly hands. TrueCrypt is a popular open-source tool that can encrypt USB drive data on the fly, and there are numerous solutions that can integrate into existing enterprise security solutions.

4. Educate employees. Many employees aren't aware of the security risks of thumb drives. Business owners and managers can drive the security message home via newsletters, handouts, Web portals, employee handbooks, signs and other media. The company needs to explain the steps that users can take to minimize the threat, and it's important to remind employees that they will be held responsible for data- security lapses if a problem arises. Whenever possible, systems should be created that prompt users with security warnings when they are about to perform a potentially dangerous action with a USB device.

 

The Bottom Line



The rule of thumb? Recognize the thumb-drive threat and take action.

Featured Research