This was a question my friend asked me last week as it turned out his company suddenly wanted to block them from being used and he could not understand why and was in fact rather annoyed. After I had sat down and explained to him the risks of USB devices, I thought this would make a great post for the blog
What are USB storage devices?
They can range from a flash drive to a hard drive in a box, this post will concentrate on the small flash drives but equally applies to the other devices .
Flash drives have become so popular because they use little power, have no fragile moving parts are small, light and cheap. Data stored on flash drives is impervious to mechanical shock, magnetic fields, scratches and dust. These properties make them great for transporting data from place to place and keeping the data readily at hand.
I remember when the first flash drives were just 8 MB but they have since massively increased to 516 GB or even 1 TB. A 64 GB for example already holds a massive amount of information (Examples can be seen here https://www.ebay.co.uk/gds/What-Size-USB-Flash-Drive-Should-You-Buy-/10000000177330128/g.html)
So what risks ?
These devices as mentioned are small and can contain a vast amount of data, so look out for the following risks
They can easily be lost or stolen which can lead to an accidental of data
They can be used by malicious insiders at a company to easily extract a large amount of confidential company information.
They can bypass most of the network security controls (such as the firewall, proxy, mail security gateway etc) and accidentally (or maliciously) introduce malware onto your computer. This is particularly relevant if a USB device is shared between work devices and home (which probably has far less security than at work)
The first risk applies to everyone from home user to a company employee. Using an encrypted USB device will help if the device is lost (as long as you have used a strong password .. more on this in a future post)
I usually advise a company that does not want to block USB devices to at least only allow approved company encrypted devices to be plugged into a device and to block any other makes of USB devices.
Blocking USB devices is the best and most cost-effective way to stop company data loss via these devices. They also give an additional benefit of preventing the third risk of introducing malware
One question I get from company bosses is the third risk does not really apply to their company as they have anti-virus. It may come as some surprise to you that anti-virus is not 100% effective and does not always pick up the latest malware. (http://www.slate.com/articles/technology/future_tense/2017/02/why_you_can_t_depend_on_antivirus_software_anymore.html)
If you are a company ..block the devices and use a cloud business service (OneDrive, Dropbox, Google Drive) to store company data (more on this in a later post). Allow only a few exceptions which must use a company approved and monitored device
For home use, by all means, use an encrypted USB device but be aware it can be lost so make sure that you have a backup of your data elsewhere.