It’s been reported in the news this week that staff at IBM have been banned from using removable memory devices such as USB sticks, SD cards and flash drives.
According to The Register, IBM have stated that the possibility of “financial and reputational” damage if staff lost or misused the devices prompted the decision.
IBM staff who need to move data around will now be encouraged to do so via an internal network.
Some IBM departments had been banned from using removable portable media for some time, but now the decree was being implemented worldwide. IBM staff are expected to stop using removable devices by the end of May.
There no doubt that USB devices do present a real risk. It’s very easy to to extract data from a company from these devices, or to introduce malicious software. The worst military breach in U.S. history happened ten years ago when a USB flash drive, containing malware, infected the network and resulted in the Department of Defense’s sensitive information being leaked.
Ten years on, IBM’s new policy reminds all of us who are involved in cyber security or the risks flash drives can create for a business. While many of these risks can be mitigated by adopting good practices, it’s important to appreciate just what is at stake if you don’t take steps to secure your USB flash drives.
The most common problem with USB drives is that they are small and easily misplaced. If you have password protected or encrypted your USB flash device, then you shouldn’t worry too much over the loss. Assuming you’ve still got the data backed up elsewhere your data will remain safe whether the device is lost or stolen.
A USB flash device without password protection is a major security risk especially if your device is carrying any kind of personal or company data.
The simplest way to avoid losing a USB stick is to make sure it is stored securely on your person. It should also be placed where it will not be damaged, as excessive shock or pressure can break or corrupt the data.
Not often considered, but finding a USB drive is just as dangerous. You might think of it as free stuff, but, unfortunately, a USB flash drive can be used to fool you into loading malware onto your computer.
A study in 2016 showed that almost 50 percent of people who find a USB flash device insert it into their computer without taking any precautions. The only people who should check the contents of a found USB flash drive are security experts with secure PCs with sandboxing and specialized security software.
As a small, relatively inexpensive item, it’s easy to think of USB sticks as disposable, shareable objects. However, a USB contains data, and that can easily be recovered. Securely removing all your data is important, whether you’re giving the device to a friend or a stranger.
There are several methods are available for securely wiping flash-based media, but each read/write cycle will age the disk. As such, it’s best to simply wipe-and-bin older drives, as they might not last that long in the hands of their new owner. If you want to obliterate your flash drive so that nothing is recoverable, you’ll need to take certain action and perhaps use a third party app. Talk to us about making sure all your devices are covered and safe
Unfortunately, there are some malware threats that are designed to be run off USB flash drives. Some standard Trojans and worms can be found auto-running. Without security software on your PC, such as Kaspersky, any worm, malware or trojan can cause you a serious security headache.
There is also a specific piece of software called BadUSB. Fortunately it was created by security researchers as a test to demonstrate how easy it is to hack through USB.
Stored on the firmware of USB devices (which includes keyboards and phones as well as flash drives), it is virtually undetectable, and can result in a targeted PC being hijacked.
This isn’t an attack that is likely to be used on you, but the BadUSB proof of concept shows that an infected USB device could be used to target an individual.
It doesn’t need explaining, but when an employee leaves your company, they usually take some things with them. USB sticks are easy to miss, as they are small and quickly forgettable.
If your employee’s departure is by mutual consent, they may well destroy or delete any data of yours. However, this isn’t always the case. And if there has been a disciplinary issue or break down in trust and communication, the risks are increased considerably.
Following IBM’s decision and banning all USB flash devices isn’t necessary for every business. However, safe storage of your USB flash device is vital and company-wide awareness of the risks is vital. Security and privacy can be easily breached if you don’t have a clear, enforceable policy in place on how your staff handle their USB devices.
To learn more about how to put a USB security policy into place for your business, why not have a conversation with our cyber security team? We offer a free IT audit of all your devices to make sure you and your company data are safe.