A removable media policy dictates the acceptable use of USB flash drives and other portable storage devices. When used in tandem with USB restriction tools, these policies serve as a critical administrative safeguard for mitigating the data security risks of portable storage.
While it’s a best practice to proactively restrict the use of these devices altogether, for some remote workers this may not work. In these cases, security teams looking to prevent data breaches must outline how employees should use permitted devices.
In this column, I’ll cover the important requirements for a removable media policy and outline how to mitigate the unique security risks of remote workers.
When developing a removable media policy for remote workers, all of the standard risks apply—malware from infected or malicious USB drives, insider data theft, and the potential for data loss because of lost or stolen devices. These risks are further compounded by the distributed and portable nature of remote work.
Security teams always find it challenging to make sure that remote workers using removable media devices return them to a safe location.
Unlike a standard office setting where workers can easily sign in and out removable media devices each day, remote workers will need to keep their devices over a prolonged period. This further increases the potential for theft, unauthorized use, and misplacement. Here’s how security teams can address this issue:
- Provide remote employees with a secure lockbox; include the expectations for its use in your policy.
- Use device control software to ensure that only authorized encrypted devices are permitted for use.
- Have employees periodically verify their possession of the assigned devices; this can be accomplished by auditing the USB device usage logs in your device control software.
When employees work from home the line between business and personal can get blurred, tempting them to use portable storage devices on unauthorized computers or use unauthorized devices on company computers. Here’s how to address the personal use issue:
- Clearly outline the organization’s expectations surrounding the acceptable use of devices.
- Follow-up any evidence of personal use with corrective actions that are appropriate to the level of risk.
- Proactively block the use of unauthorized USB devices.
Remote workers who frequently travel or work in public spaces are at a far greater risk of losing their removable media devices or having them stolen. The portability of these devices makes them easy to drop or misplace without it being noticed until it’s far too late. Security teams can address this issue with the following steps:
- Advise employees not to leave devices unattended, such as in their car or checked luggage.
- Encourage employees to keep devices in a predefined location so they can readily verify their possession of them.
- Encrypt storage devices to ensure that the contents are only readable by authorized accounts.
- Give remote workers a private and secure working environment and advise them to limit their access to sensitive data when in public areas.
Create a policy around removable media
Companies need to take a proactive stance and set clear policies that are communicated to the staff. Here are some ideas to get started:
- Set procedures for third-party removable media devices. Are they permitted? Will the security team need to scan them in a sandbox first? And what procedures should the security team and rank-and-file employees follow if a threat gets discovered?
- Create data handling procedures for removable storage, such as the classifications of data that permitted, the expectations of users, and encryption requirements.
- Identify the available alternatives to removable media. Workers should use devices as a last resort when more secure options are not available.
- Specify end-user security responsibilities such as physical safeguards, who is permitted to use their assigned devices, and incident reporting processes.
- Develop a privacy statement that discloses the organization’s intent to monitor the use of removable media devices and the consequences for misuse.
- Outline requirements for IT security personnel, such as inventory management practices that ensure any storage devices that once held sensitive data are limited to storing data of the same or greater classification.
The security team must also inform any users permitted to use a removable media device of their most common security risks, the procedures they are expected to follow, their data security responsibilities, and the potential consequences of misusing removable media devices.
Security policies are a critical administrative safeguard, but they’re only part of a successful cybersecurity strategy. In addition to setting expectations with the policy, the company needs security software that will enforce the exclusive use of authorized USB devices and provide alerts of high-risk USB activities. For these tools to be effective for remote workers, they must include a client agent that enforces the device control policies regardless of the network the remote employee is connected to.
The nature of remote work introduces many security risks and compounds existing ones. When more secure data transfer options are not available a removable media device can be a convenient option, but the risks need to be appropriately mitigated with a combination of security policies, encryption, training, and device control software.
Neel Lukka, managing director, CurrentWare