A removable media policy dictates the acceptable use of USB flash drives and other portable storage devices. When used in tandem with USB restriction tools, these policies serve as a critical administrative safeguard for mitigating the data security risks of portable storage.
While it’s a best practice to proactively restrict the use of these devices altogether, for some remote workers this may not work. In these cases, security teams looking to prevent data breaches must outline how employees should use permitted devices.
In this column, I’ll cover the important requirements for a removable media policy and outline how to mitigate the unique security risks of remote workers.
When developing a removable media policy for remote workers, all of the standard risks apply—malware from infected or malicious USB drives, insider data theft, and the potential for data loss because of lost or stolen devices. These risks are further compounded by the distributed and portable nature of remote work.
Security teams always find it challenging to make sure that remote workers using removable media devices return them to a safe location.
Unlike a standard office setting where workers can easily sign in and out removable media devices each day, remote workers will need to keep their devices over a prolonged period. This further increases the potential for theft, unauthorized use, and misplacement. Here’s how security teams can address this issue:
When employees work from home the line between business and personal can get blurred, tempting them to use portable storage devices on unauthorized computers or use unauthorized devices on company computers. Here’s how to address the personal use issue:
Remote workers who frequently travel or work in public spaces are at a far greater risk of losing their removable media devices or having them stolen. The portability of these devices makes them easy to drop or misplace without it being noticed until it’s far too late. Security teams can address this issue with the following steps:
Create a policy around removable media
Companies need to take a proactive stance and set clear policies that are communicated to the staff. Here are some ideas to get started:
The security team must also inform any users permitted to use a removable media device of their most common security risks, the procedures they are expected to follow, their data security responsibilities, and the potential consequences of misusing removable media devices.
Security policies are a critical administrative safeguard, but they’re only part of a successful cybersecurity strategy. In addition to setting expectations with the policy, the company needs security software that will enforce the exclusive use of authorized USB devices and provide alerts of high-risk USB activities. For these tools to be effective for remote workers, they must include a client agent that enforces the device control policies regardless of the network the remote employee is connected to.
The nature of remote work introduces many security risks and compounds existing ones. When more secure data transfer options are not available a removable media device can be a convenient option, but the risks need to be appropriately mitigated with a combination of security policies, encryption, training, and device control software.
Neel Lukka, managing director, CurrentWare