Portable storage devices (e.g., USB thumb drives) pose a security risk to organizations but they also have legitimate use cases. Here is how your company can mitigate risks associated with removable storage devices while using them in a responsible manner.
What is a Portable Storage Device?
"A ‘portable storage device’ is a device that can be inserted into and removed from an information system, and is used to store data or information (e.g., text, video, audio, and/or image data)."
Examples of Portable Storage Devices
USB Thumb Drives
Floppy disks
External Hard Drives
SD Cards
Common Security Risks Associated with Portable Storage Devices
They can carry malware. If an employee plugs it into their workstation it can potentially become infected.
They make it easy to exfiltrate data. Without any security controls in place, an employee can copy their work files over and provide them to a third party.
Most are unencrypted. If your company doesn’t provide its own encrypted USB storage devices then chances are that employees are using unencrypted devices.
They are easy to lose. This can impact the availability of information and can impact confidentiality if the device is unencrypted.
The Best Strategy for Controlling Portable Storage Devices
In my experience, the best approach is to adopt a deny-all-allow-by-exception policy towards portable storage devices. This allows employees with a business need to continue using portable storage devices while reducing security risk. Using group policy, you can deny-all removable storage devices and allow authorized portable storage devices to be used on specific workstations. This is a bit cumbersome to set up but is well worth it. Some enterprise-grade antivirus solutions like BitDefender also allow you to do this. Make sure to configure your anti-virus software to scan any portable storage devices connected to your systems. Be sure to disable any portable storage device auto-play features on your operating systems. Finally, educate your users on the security risks associated with portable storage devices and your policies towards them.
Plan for Implementing a Deny-All-Allow-By-Exception Policy
Create an acceptable use policy for portable storage devices.
Before blocking all portable storage devices send out a survey to end-users to find out who uses portable storage devices and what the associated business need is.
Verify the business needs of your users.
Purchase encrypted portable storage devices for your users. I prefer Apricorn products because they can be used on any operating system, are encrypted, and are Pincode protected.
Whitelist the purchased storage devices. Enforce the whitelist with technical controls (e.g., using group policy settings).
Distribute your company controlled portable storage devices to users who have a business need. Be sure to document the serial number of the device and the name of the user it was provided to.
Provide guidance to employees on the secure use of portable storage devices.
Portable Storage Device Alternative
Nowadays many companies use cloud storage services like Microsoft OneDrive or Google Drive. Companies have much more control over these storage locations than they have over portable storage devices. Cloud storage services allow you to limit access to files and folders by requiring users to authenticate. File sharing is also relatively secure as you can control who can view your file and for how long. You can even implement location-based restrictions. End-users are often unaware of these features which is partly why some prefer to share files the old fashion way using a USB thumb drive. Training end-users on how to leverage secure cloud storage capabilities instead of USB thumb drives can benefit productivity and security.
Conclusion
By not controlling the use of portable storage devices in your organization you open the door to data leaks and malware infections. The vast majority of end-users do not require portable storage devices to fulfill their duties. In my experience adopting a deny-all-allow-by-exception policy towards portable storage devices is a sound approach. If you have any questions feel free to reach out to us at info[@]lakeridge.io.
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.