By Ondrej Krehel,

How do most corporate data breaches happen? Lost laptops and USB drives.

Now many businesses have some kind of security practice in place for lost corporate computers, whether it’s encrypted drives with remote wipe, or a call lost-and-reporting procedure. But how many have USB drive best practices on the books? Not many.

Yet USBs, because of their size, are more likely to be lost than laptops or smartphones. And loaded with sophisticated malware and virus, USB drives have been used to penetrate some of the world’s most sensitive networks, from the Department of Defense on down.

So how do you prevent against lost data or network intrusions associated with USB storage devices or thumb drives? Here are the best practices for designing your company’s USB drive policy:

1.  Enable USB functionality on a need-to-have basis. Disable storage devices on computers with access to sensitive information. It will limit exposure and reduce the risk of unauthorized data being transferred away from your organization.

2.  If your business needs USB drives, issue devices that provide whole drive encryption and are passphrase protected.

3.  Make sure those drives have remote management options, such as remote wipe or remote lock. Drives like those from Iron Key have remote administration tools that also enforce strong passwords, have strict re-entry limits, disable portable applications and, believe it or not, even self-destruct.

4.  Look for drives that provide event logging and geotagging, so information on what computer, and where, is retained on every use.

5.  Enforce USB scanning on all corporate computers whenever a thumb drive is plugged in.  This can help ensure no malware or malicious programs are on the drive. Allow only corporate signed and approved applications to be run from the drive.

6.  Regularly audit USB devices to ensure that only documents in compliance with acceptable usage are being stored. This is a snatch and scan. It only takes of few of these kinds of trips around the office before everyone is very aware of the seriousness of the new USB policy.

7.  Perform regular backups of USB devices internally, including encryption keys, for data recovery purposes. Ensure that backups are properly safeguarded, and have separate procedures and security controls for backup of encryption keys. It’s also another excellent way to monitor what information is being moved to and from the device.

8.  Test data recovery procedures to ensure that the corporate security office can unlock and access any USB drive, even if an end user or malware maliciously disables the USB drive.

9.  Ensure that mobile devices with USB storage cards—such as digital cameras and SD Card readers—have the same controls as any USB drive.

10.  If possible, issue USB devices with unique serial numbers tagged in the firmware, as well as etched on the outside cover.

11.  Know your assets. Have a precise count of the USB devices at your organization. List them by owner and use. Ban use of all personal USB devices, without question, on any work computers or for any work use.

12.  If a USB device is lost, take a look at that latest secure backup to review what was lost and the potential risk. Consider recovering the drive through those geotagging features or wiping, or destroying the device with remote administration tools.

Portable and mobile storage devices are significant players in most corporate offices. Ensuring proper protection with a best practices policy and strict enforcement offers significant risk reduction—and can prevent long nights on data breach investigations.


Ondrej Krehel, Chief Information Security Officer,
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Leave a Reply