Removable media has always proved a convenient way for employees to access personal and business data on the go.
Portable devices such as USB sticks, smartphones, SD cards and external hard drives have enabled employees to copy and transfer data, take it off site and conduct their day to day business outside the secure perimeters of the office.
However, as the use of these devices has increased, so has the associated risks. The very properties that make these devices portable and enable them to connect to various networks, also make them vulnerable to network security breaches.
The failure to effectively manage the import and export of data could expose an organisation to the following risks:
- Loss of Information – Removable media devices can easily be lost resulting in the compromise of large volumes of sensitive information.
- Introduction of malware – The uncontrolled use of removable media can increase the risk of malware being transferred to critical business systems.
- Reputational damage – The loss of sensitive data can erode customer confidence in the organisation, resulting in significant reputational damage.
- Financial loss – If sensitive information is lost or compromised the organisation could be subjected to financial penalties.
The security risks posed by the use of removable devices are just too great for organisations to ignore. In recent months, leading computing company IBM banned all its staff from using removable storage devices due to the possible financial and reputational damage that could be caused from misplaced, lost or misused removable portable storage devices.
A seemingly harmless portable media device has the potential to trigger a massive cyber-attack, even when the computer system targeted is isolated and protected from the outside.
There are numerous ways for attackers to use removable media devices to infect computer systems and one of the most common methods used is through an infected USB stick. Criminals often use a popular form of social engineering, known as ‘Baiting’, to launch an attack.
Baiting, as the name implies involves luring someone into a trap to steal their personal information or infect their computer with malware. The attacker will often leave a malware infected device, such as a USB stick, in a busy place where someone can find it.
The criminal will then rely on human curiosity to complete the scam and as soon as the device is plugged into a system, it will infect an entire network with malware.
This is exactly what happened in one of the first ever nation state cyber-attacks in 2010. A computer worm known as Stuxnet was placed on an infected USB stick and used to gain access to Iranian computer systems.
Once the worm had infected a computer, it was able to replicate itself to any flash drives connected to the PC, and then spread from those drives to other computers.
The worm was introduced to solely target computers in an Iranian uranium enrichment facility, however due its rapid ability to propagate, it ended up infecting computers in 155 countries worldwide.
The consequences of using an infected removable media device can have massive ramifications for an organisation. Human error remains the number one cause of a cyber-attack, so it’s vital that staff follow the correct procedures when handling removable media devices outside of the office.
To ensure that company data is safe and secure, employees should follow the below guidelines when handling removable media:
- Limit the use of all removable media devices except when specifically authorised.
- Apply password protection. To safeguard sensitive information and restrict access, all removable media should be protected with strong passwords.
- Encrypt information held on removable media. If the use of removable media is required, the information on all devices should be encrypted. The level of encryption will depend on the sensitivity of the information stored on the device.
- Never copy files to removable media unless it is necessary or has been authorised.
- Scan all media for malware. Removable media should be thoroughly scanned for malware before it is brought in to use or received from any other organisation.
- Never leave removable media lying around. Lock it securely away when not in use.
- Disable Bluetooth, Wi-Fi, and other services when you’re not using them.
- Never attempt to access files from any removable media that you may have found. It may contain a virus that will infect computer systems with malware.
- When using Bluetooth, set it to the “non-discoverable” mode to hide the device from unauthenticated devices.
- Report missing devices immediately, so they can be cleared of all data.
- Use security software and keep all software up to date.
The MetaCompliance product range has been created to meet the needs of businesses operating in a constantly evolving cyber security landscape. Contact us for further information on how we can help improve cyber security awareness within your organisation.