Misconceptions over USBs

Jon Fielding at Apricorn explains why organisations need to take far greater care over the use of peripheral computing devices such as USB sticks

 

Peripheral devices such as USB sticks continue to pose a major threat to corporate security. Their portability can allow them to bypass defences which means they are often used a vehicle for malware such as ransomware, spyware and keyloggers or to exfiltrate data. 

 

In fact, over half of companies reported having their data stolen via a USB over the past two years.

 

Part of the problem comes down to an over confidence among users who assume certain safeguards. For instance, a fifth of workers said they would happily plug in a USB stick they had found or been sent because they believed the security software on their laptop or desktop would be scan the device and mitigate any issues. Only a third said they would not plug in the device but would instead take it to their security team. 

 

This poses a real threat because press reports suggest incidents of infected USB sticks being sent to targeted users via ecommerce sites are on the rise. 

 

A false sense of security

There’s also confusion over whether deleted data is gone for good, with some believing the data is either partially or fully erased. The reality is that data that has been deleted can easily be recovered using software that is freely available online. This means that when these USB sticks are discarded they continue to pose a threat to the company. 

 

It’s for this reason that organisations need to educate users on the need for data sanitisation which ensures that the device is properly wiped.

 

Temporary data storage can of course come in all shapes and sizes with many opting to use a file sharing platform such as Dropbox or Google Drive. 

 

However, these are not necessarily more secure than USBs. In June 2024, we saw an issue with Dropbox Sign, an automated sign-in tool, resulting in 68 million Dropbox user names and passwords being leaked online which could then be used to access the data stored on those accounts. These platforms need to be managed too and security policies applied to restrict their use in the corporate environment to reduce the risk of a data breach. 

 

The portability of USBs can also see users be cavalier over who has access to them. It’s common to share these devices with colleagues or even family members including children to save homework largely because in our minds we don’t equate this as dangerous behaviour. It’s a problem that stems from how we talk about data handling. 

 

If those users were asked about their data handling the chances are they would consider themselves highly diligent which is why we need to talk about data in a more human way and by use case.

 

How to help users 

These misconceptions and examples of misuse all point to the need for thought to be given to how we interact with and transport data. These devices remain hugely relevant and convenient, which is why they remain as popular today as they were 20 years ago, and they can be used safely and securely provided certain measures are put in place.

 

Firstly, many of the USB sticks in use do not have any form of encryption and are not password protected.  The industry standard is AES 256-bit encryption which is internationally recognised and, when combined with crypto chips implemented in hardware, can withstand the brute force attacks used to try and guess the password protecting the device. 

 

In fact, the most sophisticated devices can delete the data if a pre-determined number of sequential and incorrect PINS/passwords are entered. Alongside this, encryption ensures that the data will remain protected even if the device is lost or stolen.

 

Secondly, user education is a must to ensure that workers are aware of how the practices outlined above can contravene acceptable use and data handling policies. Such training needs to take a ‘real world’ approach and look at how workers access data, where they work on it, whether they use portable storage media and the need for that media to also be regarded as an endpoint in its own right. 

 

Awareness training also needs to foster a culture of open disclosure so that in the event data is put at risk by a device being lost or stolen the user reports it without hesitation.

 

Thirdly, it’s down to the organisation to limit the potential for compromise. By sourcing the USB devices from a trusted source and supplying these to staff and putting in place security mechanisms, the organisation can significantly reduce risk. 

 

The security team should be able to see every time a USB key is used, for example, and should lock down ports to only accept approved devices. This will prevent users from accessing third party USB devices because any that are not company sanctioned will be blocked by default. 

 

Taking these steps can then help address the misuse of USBs and ensure that if the worst does happen and the device is compromised, the data doesn’t fall into the wrong hands. 

 

---

Jon Fielding is Managing Director for EMEA at Apricorn

 

Main image courtesy of iStockPhoto.com and kyoshino