Risks of Flash Drives in the Workplace

Custom wood flash drive on a tree stump.

Risks of Flash Drives in the Workplace

The Danger of Flash Drives

When considering the many risks that face organizations today, most of us tend to unconsciously gloss over the threat of everyday items, such as a flash drive. Also referred to as thumb drives, data sticks, jump drives, or keychain drives, these portable storage devices are typically pretty small and are able to connect to most computers through a USB port.

Flash drives contain an integrated circuit memory chip that is used to store data, and that’s about it. They’re a basic piece of technology, but are favored for their convenience and ease of use. Simply plug it into your computer and you can drag and drop files on or off of it. Many even come on a lanyard or keychain so you’ll always have the data with you. Students can carry their papers on it, business professionals can load a financial report and carry it over to the conference room to present- you get the idea. I don’t think it’s outlandish to say most people have used one at some point in their life.

So what’s the problem? Well, nothing, if it’s used correctly and you take the proper precautions, but the world isn’t always so ideal. Check out some the risks associated with flash drives.

Malware or Viruses

The main issues is that malware or viruses can be loaded onto flash drives. These can automatically infect a machine when inserted! I know from walking into many businesses, such as banks or hotels, that I could infect their machines with minimal effort. A simple reach over the counter or three paces to an unattended desk and I could insert the malicious flash drive that then infects the network. Pretty scary, right? When considering your security, even small things like a malicious flash drive need to be considered.

Instances of malicious code can run and spy on all of your activities (spyware). Keyloggers can report every key you press and report your data and practices to a third party. They track browser history, upload files, and even take remote access of your computer. While some are more obvious, you’ll often find malware attempts to run undetected and you may not even notice any symptoms of being infected such as a decrease in speed or issues in usability.

Just in the past month, a woman was detained after she gained access to Mar-a-Lago and had in her possession a malware infected flash drive. Read more from the New York Times here. If she was able to access a computer, imagine the data she could have stolen.

Flash Drive Misuse

Part of what makes flash drives so attractive is also what makes them so risky! Yes, I’m talking about their widespread availability and ease of use. Many companies use them as a marketing resource, creating thousands with their logo to hand out at conventions or send as freebies. We are so used to seeing these, that we don’t even question receiving them. This is dangerous because, like a trojan horse you can say, these flash drives can have malicious intent that we trustingly accept.

Even using a brand-new flash drive can present you with problems. If there is already a virus on your laptop and you plug in a flash drive, it can infect that flash drive. Now when you use that new flash drive again, you’ll be sharing a virus across your devices.

What’s more, deleting files from a flash drive may not permanently remove them. Traces of deleted files or even the whole file can be recovered with a little skilled work. This creates trouble when sharing, throwing away, or donating old flash drives, as you may inadvertently be giving away private company information.

They’re convenient but their size and common use makes them often go undetected or ignored by security. A study found that nearly 50% of people that find a flash drive will plug it in to see what files are on it. We’re so comfortable with these (maybe a little nosy too) that we just plug in a random flash drive into our computers. These are reasons why companies such as IBM have banned portable storage devices. While this may seem a little excessive, we can understand the security measures.

Accidental Loss of Data

Ignoring the chance of malicious intent, it’s likely you can just plain lose a flash drive. It happens, they’re tiny. Workers can lose them and cause financial or reputational damage by leaking sensitive company information. Private financial information, employee information, or customer information leaked can cause irreparable damage to those affected and the brand name as a whole.

Last year, Heathrow Airport was fined over $150,000 after an employee lost a flash drive with over 1,000 files on it and no attempt at password protection.

When You Want to Use a Flash Drive Anyway

I get it. Flash drives are handy and you’re set in your ways. Luckily, there are steps you can take to stay protected. First, use a password. You can even buy encrypted drives that are designed to protect data that needs airtight security. Encrypted data is perfect for corporate use and keeps you in compliance with directives like FIPS and TAA. Even if you lose an encrypted flash drive, its highly unlikely anyone will ever be able to access your data.

It’s also a good practice to keep your flash drives separate. Have one for public use, one that is only for work station computers, etc. and never use a flash drive that you’re given out of the packaging.

Another safety precaution is to disable any auto-run features that cause your computer to launch installers or programs when a flash drive or cd is inserted into your computer. This prevents the scenario of someone walking up to your computer and inserting a malicious flash drive. This gives you a window to say, “hey, that’s not mine,” and remove it.

Remember, you’re not really in a better position if you’re instead going to start using a personal Dropbox or Google Drive. At that point you’re just circumnavigating protections that your company has in place.

Consider taking a trial of our CyberWatch platform and selecting the Top 20 Cyber Controls content library, which includes some content regarding policies on portable storage devices.