The best security practices for removable devices and media
Most of us are familiar with the dangers of email attachments, or downloading files from dodgy websites. Downloading and running unknown files is a classic means of transmitting computer malware, and many businesses use stringent filters to stop these threats at source. What many people don’t realise is that physical devices present a growing threat, both to the devices and the networks they connect to.
From USB drives to mobile phones to personal laptops, plugging a device into another computer could allow malware on that device to spread through connected networks, and put other people’s files at risk. Read on to learn more about these ‘removable devices’, what you can do to prevent the spread of viruses and other malware, and how you can keep your information and reputation safe.
What are removable devices?
Removable media and devices are forms of portable hardware. The most common is a USB drive, but other examples include external hard drives, SD cards and CF cards. Due to their portability and growing capacities, these are commonly used to store and transport files, including documents, photos, videos and even software.
While online storage has reduced the reliance on removable devices and media, they remain a common and low-cost means to share files, particularly in areas where internet upload speeds remain low. They are also helpful in that they can be plugged into a range of devices, with Macs and PCs both featuring SD, CF and USB connectors.
While not typically categorised as removable devices, mobile phones also increasingly fall into this bracket. Due to their substantial internal storage, capability for work applications, and ability to connect with computers either over a wired or wireless connection, the use of mobile phones for storing and transmitting files to desktops and laptops is growing.
What are the dangers of removable devices?
Understanding why removable devices are dangerous requires a basic comprehension of how networks operate. Within businesses, computers and other devices generally operate on a local area network (LAN). These can be wired or wireless, but the basic principle is the same: all of the devices are linked together, either directly or through an intermediary, and have the capacity to access and share each other’s files.
Usually, there will be a number of protections to prevent malicious access attempts, and the transmission of harmful files. Firewalls prevent unauthorised users from interacting with a network, while filters and antivirus applications scan or block files, preventing them from being downloaded or executed if they are deemed to be harmful. All of this prevents the device (and devices connected to it) from being compromised.
These protections often do not exist for removable devices. If you plug a USB drive, memory card or other removable media into a networked device, any harmful files lurking on that removable device could automatically execute, infecting the device you’ve connected them to. From here, they can make their way throughout the network, infecting all of the connected devices, and potentially causing files to become compromised or removed.
Transmitting malware in this way could lead to:
- Loss of information. Even if you don’t think the data on your device is that confidential, cybercriminals can make use of many types of data in different scams. Data loss can also give away information to competitors, resulting in a loss of competitive advantage.
- Introduction of malware. Malware infections can be highly damaging to the systems at your company, expensive to deal with, and cause serious harm to the company’s reputation.
- Reputational damage. Any loss of data or introduction of malware to a device controlled by the company can seriously harm the company’s image and reputation in the eyes of customers and partners.
How to prevent data exposure
There is one simple cybersecurity best practice that should be drilled into every employee: removable devices and media must only be plugged or inserted into your computer if you trust and know the source.
One of the most common social engineering scams involves a malware-infected USB drive. The cybercriminal leaves this USB device in the parking lot, lobby or other area close to a workplace. An employee walking past is likely to see it and pick it up, assuming that someone has accidentally dropped it.
That employee may then insert the device into their computer, hoping to find a clue about the device’s owner. Once the USB device is inserted into the computer, however, the malware hidden within will be able to spread into the system, leaving a backdoor for the owner to enter the network, or directly compromising its files and software.
A few simple security measures will help you protect the integrity and security of data on your portable devices:
- Protect devices with secure passwords whenever possible.
- Once you have finished transferring data using a removable device, wipe the data from the device immediately. Formatting the device should ensure that all data is erased, including malicious files that may be hidden from view.
- Protect data on devices such as USB sticks, portable hard drives and mobile phones with encryption.
How to prevent the spread of malware through removable devices
Here is what you should do the help prevent the spread of malware through removable devices:
- Never plug in a device that has been unaccounted for or if you’re not completely certain of its contents.
- Never plug in a device not owned or controlled by your organisation into a computer that’s part of your organisation’s network unless directly approved by your IT support team.
- Never plug a device that you have found into a computer, either at home or work. Instead, you should hand it over to lost and found, or your IT support team, who will be able to access it safely.
- Always have up-to-date antivirus software enabled on your devices.
After reading this information, we hope you understand why it is essential that you avoid plugging in any devices that you don’t control or trust, or have been unaccounted for, into any computer. To discuss your security protocols further, or for any more information, please don’t hesitate to contact us.