Convenience often beats security where users are concerned. Take USB keys, for example. They’re a very handy way to transfer files between computers, but they’re also a huge security risk. IBM recently attempted taking the drastic step of banning all removable portable storage devices (eg: USB, SD card, flash drive) completely. Should others follow suit?
To explore this issue deeper, I spoke to Neha Thethi, senior cybersecurity analyst at BH Consulting. She said for an attacker who has physical access to the victim’s machine, USB sticks are an effective way to install malicious software on a device or a network. Human nature being what it is, unsuspecting users will often plug unknown drives into their computers. From there, attackers have multiple ways to compromise a victim’s machine.
In fact, a classic tactic for security experts to test an organisation’s security awareness levels is to drop infected USB drives in a public area as part of a ‘red team’ exercise. If a percentage of employees picks up a key and plugs it into their machine, it’s a useful indicator of gaps in that organisation’s security.
Alternatives for file sharing
In Neha’s experience, given the current file sharing technologies available, many employees don’t need to use USBs for general tasks anyway. “We have found that restricting USB keys can definitely work. Most users in an organisation don’t really need access to those ports,” she said. Even where colleagues might need to share documents, it’s easier and safer to use a cloud service approved by their organisation.
But before banning USBs (or other removable media) outright, Neha recommends taking these five steps:
- Discover what data you have
- Know where you are storing the data
- Classify the data according to its importance
- Carry out a risk assessment for the most important data
- Protect the data based on the level of risk – including encryption if necessary.
A company can take some of the steps by itself, but it’s best to use the experience of a security specialist within the company or a third party to carry out the security risk assessment. “The assessment should be conducted with the help of an expert team based on the type of industry and service you provide. Otherwise, you end up with an inaccurate picture of the security risks the organisation faces,” she said.
Prepare for pushback
If a USB ban is identified as a risk treatment measure, be prepared for pushback from some employees. Some of that will stem from company culture. Is the organisation reliant on rules, or do staff expect a degree of freedom? “Not everyone will give a round of applause for more security, because it is a hindrance and an extra step,” Neha warned. “Expect and anticipate pushback and therefore put in place incentives for blocking USBs. If people aren’t happy and are not on board with the change, it leads to them bending the rules.”
In some cases, there may be genuine exceptions to a no-USB rule. IBM itself faced pushbacks and is reportedly considering making a few exemptions. Neha also gave the example of a media company that uses high-quality digital photographs for its work. While it restricted USB ports for all employees, it made an exception for its media person. This person needed to transfer these high-quality images from the camera to a company device. Their specific role meant they got formal approval to have their USB port enabled.
Banning USB sticks should be workable in many cases, because better, more convenient and secure alternatives exist in the form of cloud sharing platforms. But like with the implementation of most security measures, it always helps to be prepared and plan for multiple scenarios.