USB storage drives. Cheap and convenient, but also easily misplaced. Whether it’s slipping out of a pocket on a train, or wedging down the back of a seat in a coffee shop, they have a tendency to disappear before you realise it, never to be seen again. Have you ever considered the risks of a lost USB stick?
Have you ever stumbled across a random or lost USB stick?
What have you done with it?
Or more importantly what would you do?
The sensible side of us knows that it’s best to hand it in to lost property, authorities or to just bin it.
However, as human beings we have a tendency to be a mix of the following attributes:
- quick thinkers: however acting in haste we can often make poor decisions
- curious: questioning what’s on it just niggles away at us, we have to have answers
- helpful: it might have important files on, wouldn’t it be nice if I could reunite the lost USB stick with its rightful owner..
Some may mindlessly plug in flash drives to a computer without even thinking about it. Others may be more considered, and so begins the negotiation between risk and reward. Reward wins most of the time, and the flash drive gets plugged into a device “just for a few minutes, what harm can it do?”
Quite a lot actually.
Unfortunately, cyber criminals often use the lost USB stick ploy as a tactic, hoping that a kind but gullible do-gooder will plug it in, gaining them entry to devices.
Malware from a USB device can take control of a computer, upload files, track browser history, infect software and even provide a hacker remote keyboard control, allowing hackers to get hold of your access credentials to email, social media, banking, utility and retail accounts.
If the infected USB stick gets plugged into a work computer, then the hackers have struck gold, as they have the ability to cause widespread damage across corporate networks.
Many USB sticks are not storage devices, there are USB dongles that appear identical to a memory stick but actually contain scripts and code that immediately execute when plugged in, irrespective of any virus protection software present.
With human error accounting for 90% of security breaches, the dangers of plugging in a random USB device is just one of the security risks posed to businesses.
At a basic level, we recommend that you:
- Ensure that antivirus software is updated on all devices that connect to your network.
- Switch to cloud computing, which allows for safe storage and accessibility of files across a secured network.
- If users want to make use of USB drives, insist they are encrypted.
- Implement an EDR solution (endpoint detection and response) which monitors activity across all connected devices.
- Invest in staff training and continual cyber security awareness programs.
Some organisations have gone one step further. In 2018, IBM prohibited data transfer to all removable portable storage devices (eg: USB, SD card, flash drive) across IBM operations worldwide, asking staff to rely entirely on the company’s cloud-based storage, citing the danger of missing storage devices leading to financial and reputational damage.
And it’s easy to see why they took this step:
- Greater Manchester Police has been fined £120,000 when an officer took a USB stick home which contained data on more than a thousand people, it was then stolen in a burglary – this was despite a previous incident leading to an “amnesty” on unencrypted memory sticks.
- The Information Commissioner’s Office (ICO) fined the North East Lincolnshire Council £80,000 after a teacher lost a memory stick with information about hundreds of children with special educational needs.
- A £150,000 fine was levied on Royal & Sun Alliance after the theft of a hard drive resulted in the names, addresses and bank account details of 59,592 customers being exposed to the outside world.
- Heathrow Airport was fined £120,000 by the ICO after a careless employee lost a USB which contained over 1,000 confidential files and sensitive data.
- In the USA, the University of Texas MD Anderson Cancer Center faced a $4.5m lawsuit when a trainee lost an unencrypted portable hard drive on a campus shuttle bus in 2012, and another unencrypted USB drive was lost in 2013. They fought this lawsuit for 8 years, when the fine was reduced to $450,000.
Whilst the fines may seem fairly insignificant to large organisations, negative PR exposure, loss of customer trust, decreased revenue, time spent investigating and remediating, all come at a cost.
According to a 2020 report from IBM and the Ponemon Institute, the average total cost of a data breach was $3.86 million. And the longer it takes to respond, the greater the damage will be.
Considering companies take about 197 days to identify and 69 days to contain a breach, being able to defend against breaches and react quickly to incidents can help ensure against both financial and reputational losses.
With more than 15 years experience in implementing mission-critical data security, risk, and compliance programs, we believe that a culture of preparedness is the only way to be cyber resilient. Get in touch with the team here at Infosec Partners to chat about how we can help you be more cyber safe.
FIND OUT MORE ABOUT ENDPOINT DETECTION AND RESPONSE SERVICES
Please leave a few contact details and one of our trusted cyber security consultants will get back to you.
Or call us to speak with someone immediately: +44 (0)203 892 4812