Leveraging Technology to Mitigate Risk Part #4: Ban Your Removable Memory Devices

October 09, 2018
Part 4 of our blog series covers how organizations can protect sensitive data if they ban the use of removable memory devices for storing company information.
Technology provides a powerful platform allowing organizations to innovate at a rapid rate. Technology is so entrenched in our work-lives, we take for granted how things like email services, smart phones, video chatting, and computers have revolutionized the business world. However, with technology progressing and changing so quickly, it has also made organizations vulnerable to risks like cyber-attacks and data breaches, putting their clients’ privacy in jeopardy.
Over the past few weeks, our blog has covered some of the top ways you and your organization can protect yourselves from the increased risk associated with the daily use of technology. Thank you for joining us as we discussed the ways your technology can work for you, not against you. This week's post discusses the risks that come with removable memory devices. 
Ban Your Removable Memory Devices
A removable memory device is any type of media that allows data to be removed from a system while the system is still running. Examples include CDs, DVDs, USB drives, memory cards, external drives, and even smartphones. While removable memory devices are normally harmless, they also can become a massive liability. They can act as a window into your organization’s network, exposing your organization’s sensitive and private information.
When you use removable memory devices, you circumvent all the policies and practices that your organization has in place to protect its data. Sensitive information that was once password protected and only viewable by trusted individuals becomes unsecured and movable. Moreover, these devices are easily misplaced, forgotten, or stolen; compromising confidential information. Of the 33% of organizations that suffered USB-related security threats in 2017, the majority of them were caused by a lost or stolen USB devices. How many times have you misplaced or forgot important things—like your phone, wallet, keys, or glasses? You cannot and should not trust yourself to be a perfect steward for your organization’s data stored on removable memory devices. 
Another issue with removable memory devices is that they can be infected with malware and used by hackers to infect company computers. In a 2016 University of Illinois study, researchers dropped USB devices in several locations to see if anyone would connect them. The study revealed that 48% of the people who found the devices inserted them into their computers and clicked on at least one file.
While most participants reported that they initially plugged in the drives to attempt to find the owner, over half of them clicked on photo files first, before clicking on a file tiled “resume” —the logical place to find the owner’s contact information. What’s worse -- 68% of participants reported taking no security precautions before plugging in the USB device.
How Your Organization Can Protect Itself 
Some organizations have implemented new policies that require employees to use encrypted USB devices that are provided by and approved by the company. Companies, like IBM, have decided to take a different approach and banned removable memory devices altogether. If your company has a “Bring Your Own Device” Policy for mobile devices, make sure each device is not compromised and consider using mobile device management (MDM) and mobile application management (MAM) solutionsThese management tools allow for organizational data to remain separate from the users’ personal data, encrypts it, and allows it to be wiped remotely if the device is ever lost or if the employee leaves the company.
Whichever solution your company chooses, it is important that employees are made aware of the policy and that there are resources in place to enforce it. As your organization designs new best practices for technology use, it is important to remember that the longer information is kept, the less valuable it becomes, while the risk and cost of keeping it increases.