Back to Cybersecurity Basics – Part 6: Removable Media Controls
One of the most difficult things to manage from an IT Security perspective is the actions of your users. Even the most trustworthy employees can fall prey to a phishing scam or leave their laptop on a train and then we have those employees who aren’t so trustworthy who may try to maliciously sabotage or steal sensitive information.
One action that IT must be able to control is the use of Removable Media. According to whatis.com Removable Media is…
‘Any type of storage device that can be removed from a computer while the system is running. Examples of removable media include CDs, DVDs and Blu-Ray disks, as well as diskettes and USB drives’
This was their definition of Removable Media back in 2010, however as is the way, technology now moves forward at a fast pace, and devices such as Smartphones and Smartwatches can be included in this list.
Removable Media makes it very easy for employees to move data from system to system, and companies that allow their employees to use Removable Media need to understand the risks and what they can do to mitigate these (see our Blog on Information Risk Management).
There is two stand out risks when it comes to Removable Media – employees downloading and stealing/losing sensitive information and uploading Malware to corporate systems.
Losing things like USB Drives is very easy to do and you would be surprised how easy it is for Malware to find its way on to corporate systems this way. Only last year IBM shipped an unspecified number of USB flash drives containing an IBM Storewize initialisation tool infected with malicious code to its CUSTOMERS.
It’s not an option to simply block USB drives as some companies rely heavily on them. There are though certain things you can do to increase your confidence that Removable Media devices are being used appropriately.
Limit the use of Removable Media – There may be a number of examples where you need to use Removable Media to support a particular business need. When this is the case ensure that only those who have the need, actually have the ability to use a Removable Media device. Track who these employees are and how they are using the devices.
Set Policies – If you get a handle on who within the business is permitted to use Removable Media devices, you can then go one step further and set policies regarding how they are used and what data is allowed to be transferred in this way.
Scan for Malware – Another policy that really must be introduced is that all devices are scanned for Malware the second it is plugged
into a corporate system. There is a good chance that your users will plug their devices into non-corporate machines that you have no control over, leaving them open to infection. Ensure that your Antivirus software is fully up to date.
Formally Distribute Devices – Ensure that those who need to use Removable devices for their day-to-day jobs are formally assigned their own corporate device. Ensure that you explain to users that they are responsible for its safe keeping and use.