What security risks are associated with USB media?

USB storage

Tim Bandos, CISO, Digital Guardian, talks to us about the security risks faced by businesses when using USB storage.

From hard drives and flash drives to a wide range of other devices, USB media offers a fast, simple way to transport, share and store data when digital transfer isn’t possible. However, their highly accessible and portable nature can make them a complete business security nightmare, with data leakage, theft, and loss all common occurrences. 

The remote working climate that many organisations currently have in place appears to have compounded these issues. According to recent research, there has been a 123% increase in the volume of data downloaded to USB media by employees since the onset of COVID-19, suggesting many have used such devices to take large volumes of data home with them. As a result, there’s hundreds of terabytes of potentially sensitive, unencrypted corporate data floating around at any given time, greatly increasing the risk of serious data loss.  

Fortunately, effective implementation of USB control and encryption can significantly improve protection against the inherent dangers of such devices.

USB control and encryption


USB control and encryption refers to the set of techniques and practices used to secure the access of devices to USB ports. Such techniques and practices form a key part of endpoint security and help protect both computer systems and sensitive data assets from loss, as well as security threats that can be deployed via physical plug-in USB devices, such as malware. 

There are numerous ways that USB control and encryption can be implemented. The most authoritarian approach is to block the use of USB devices altogether, either by physically covering endpoint USB ports or by disabling USB adapters throughout the operating system. While this is certainly effective, for the vast majority of businesses it simply isn’t a workable approach given the huge number of peripheral devices that rely on USB ports to function, such as keyboards, chargers, printers and many more.

Instead, a more practical approach is to combine less draconian physical measures with the use of encryption that protects sensitive data itself, meaning even if a flash drive containing such data is lost or stolen, its contents remain safe. The easiest (and usually most expensive) way to do this is by purchasing devices that already have robust encryption algorithms built into them. A cheaper (but harder to manage) alternative is to implement and enforce specific IT policies governing the use of USB devices. This could either be one that only permits employees to use certain ‘authenticated’ USB devices – whose file systems have been manually encrypted – or stipulating that individual files must be encrypted before they can be transferred to a USB storage device.

Greater control means better security


The default USB port controls offered as part of most operating systems tend to be quite limited in terms of functionality. Security teams can choose to leave them completely open, designate them as read-only, or fully disable them. However, for those wanting a more nuanced approach, a much greater level of granular control can be achieved with the help of third party security applications and/or solutions. For instance, each plugged-in USB device is required to tell the OS exactly what kind of device it is as part of the connection protocol. With the help of USB control applications, admins can use this information to limit or block certain types of USB devices on specific endpoint ports. A good example would be permitting the use of USB mice via the port, but banning storage devices, such as USB sticks, that pose a much greater threat to security.

Some control applications go further still, allowing security teams to put rules in place that govern USB ports down to an individual level. This includes specifying exactly what kinds of files can be copied or transferred via a particular USB port, or stipulating that a particular port can only be used by devices from a pre-approved whitelist (based on their serial number). Such controls can be extremely effective at preventing unauthorised data egress, as well as malicious actions like trying to upload malware via an unauthorised USB stick. 

USB control and encryption solutions


It’s worth noting that a normal business network can contain hundreds, or even thousands of endpoints, each with one or more USB ports. As such, control and encryption solutions that can be managed centrally, rather than on an individual basis, are significantly easier to implement and manage. This is particularly true at this current point in time, where remote working protocols make it almost impossible to effectively manage devices any other way.

While portable USB drives and devices are seen as a quick, convenient way to transport or store data by employees, they often present a major headache for security professionals. Fortunately, implementing device control and encryption solutions can greatly improve the tools at a security team’s disposal to deal with such challenges and ensure both the network and sensitive company data remains protected at all times. A complete data protection solution with device control is one of the best investments an organisation can make to protect its data and systems.


Tim Bandos

Tim Bandos, CISSP, CISA, CEH is Vice President of Cybersecurity at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that targeted stealing highly sensitive data. A majority of his career was spent working at a Fortune 100 company where he built an Incident Response organisation and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.

Unlock the Power of WiFi 6: How To Leverage It...

TBT Newsroom • 01st March 2023

Are you tired of being left behind in the technological world? Well, fear not! WiFi 6 is here to save the day and bring your business into the future. With unprecedented speeds and a host of new capabilities, WiFi 6 is the must-have technology for any business looking to stay ahead of the curve.

Sustainable Phones

TBT Newsroom • 04th May 2022

Cat phones (made by UK-based company Bullitt Group) are explicitly designed to be rugged, with devices built to last and have a longer lifespan. Industry Analyst firm Canalys notes that the current average lifecycle of smartphones in the mass market is approximately 37 months for iPhones and 33 months for Android devices.

From Credit Cards To Mobile Payment  

Ripsy Plaid • 27th April 2022

Plaid, the open finance data network, and payments platform have appointed Ripsy Bandourian as its first Head of Europe as it continues to rapidly expand across the continent. Based in Amsterdam, Ripsy will lead the business strategy and operations for Plaid’s Europe arm as it moves into its next stage of growth. 

How biometric technology can be used for remote proof of...

Chris Corfield • 08th April 2022

The pandemic has accelerated the adoption of digital financial services, driving organizations to speed up their transformation programs globally. Most banks, as well as pension providers, are still in the early stages of integrating technologies such as machine learning and artificial intelligence, and as the world continues to battle the long-term effects of COVID-19, the...