Whether you call them ‘memory sticks’, ‘flash drives’, ‘flash disks’ or ‘thumb drives’, these USB devices are inexpensive, tiny and make it super easy to transfer data between computers. Unfortunately the convenience comes with risk.
Information loss / theft
Probability: very high
- Their size make them easy to carry but it also makes them easy to lose. While the device may be cheap, losing the data it contains could be very costly.
- In a 2011 UK study, 72% of respondents reported losing sensitive information from USB drives
- Under POPI such a data loss has to be reported, and each customer who’s data has been lost or stolen, notified. It is difficult to quantify the damage that can be caused to reputation in such a case.
Malware (harmful software)
Probability: medium
- USB drives can transmit viruses or worms but in most cases, having up to date antivirus software effectively protects against this type of risk.
Bad USB
Probability: low (unless you are specifically targeted)
- A new type of risk emerged in 2014, known as ‘BadUSB’ which is thought to affect half of all USB devices. What is worse is that it usually cannot be detected by antivirus software. Essentially, a BadUSB drive is reprogrammed in such a way that it pretends to be another USB device, like a keyboard or mouse. Once inserted, the BadUSB drive sends keystrokes and mouse clicks to the operating system, as if it were a person operating the computer. For example, the BadUSB device may be programmed to open a Terminal window and type commands that would allow a hacker to remotely access the computer. While it is somewhat technical to implement, full instructions are available on the internet.
How does it happen?
- If a hacker is targeting your organisation he could use people’s curiosity. It could be as simple as dropping a USB memory stick in your parking lot or reception area. In one study 60% of people inserted a USB drive or CD, found in the office parking lot, into their computer. The percentage increased when any extra incentive was present, like having the company logo printed on the device or having a CD marked with ‘salaries’.
What can I do?
- Policy & procedure
- In more sophisticated IT departments it may be an option to ‘lock down’ USB ports but this may be impractical
- You may impose a policy to limit the use of these devices. Such a policy will only have value if it is enforced across your own staff, contractors etc.
- Awareness
- Since data may be stored on a variety of mobile devices like laptops, external hard drives, mobile phones etc. it is crucial to foster awareness among staff about the risks of losing these types of devices and the sensitive data they may contain.
- To help with awareness you can order a set of awareness posters specifically designed to maintain awareness of these risks.
- Training
- Use our unique interactive training tool to test your staff readiness.
- Buy secure USB drives that automatically encrypt your data
- http://www.loot.co.za/product/sandisk-cruzer-ultra-backup-usb-flash-drive-32gb/kmln-1728-g630
Leave A Comment
You must be logged in to post a comment.