Skip to main content

USB Sticks & how they could be dangerous to your business

Media Why Does Your Business Need IT Security in York?

Could a Small USB Drive Create a Major Cyber Security Incident?

USB sticks are convenient, inexpensive and easy to use.

They allow employees to move large files, provide information to customers, transfer documents between computers and keep an offline copy of important data.

However, the same features that make USB sticks useful also make them a potential security risk.

They are small enough to lose, easy to connect to almost any computer and capable of carrying both sensitive information and malicious software.

A USB stick does not need an internet connection to transfer malware or remove confidential files from your business. An employee only needs to connect it to a computer.

This means a single unknown or poorly managed USB device could potentially expose your organisation to:

  • Malware
  • Ransomware
  • Data theft
  • Accidental data loss
  • Unauthorised software
  • Privacy breaches
  • Disruption to business systems

The National Cyber Security Centre warns that USB and other peripheral interfaces provide an additional route through which attackers can reach a device and the information stored on it.

What is a USB stick?

A USB stick—also known as a USB flash drive, memory stick or thumb drive—is a small removable storage device.

It connects to a computer through a USB port and is normally displayed as another drive within Windows or macOS.

USB sticks can be used to store and transfer:

  • Documents
  • Spreadsheets
  • Photographs
  • Videos
  • Software installers
  • Database exports
  • Customer information
  • Backups
  • Presentations
  • Financial records

Modern USB drives can hold hundreds of gigabytes or even several terabytes of information.

This makes them useful, but it also means a very small physical device may contain a large amount of confidential business data.

Why do businesses still use USB sticks?

Cloud storage services such as Microsoft SharePoint and OneDrive have reduced the need to transfer files manually.

However, USB sticks are still commonly used when:

  • A file is too large to email
  • Internet access is unavailable
  • Information must be transferred to an isolated computer
  • A supplier requests files on removable media
  • An employee needs to move information between locations
  • Software needs to be installed on several devices
  • A presentation must be delivered at another organisation
  • A system does not support cloud storage
  • An offline backup is required

There may be legitimate reasons to use removable storage.

The important question is not necessarily whether your business should ban every USB stick. It is whether you know which devices are being used, who is using them and what information is being copied.

How can a USB stick contain malware?

A USB stick can carry malicious files in the same way that an email attachment or internet download can.

The malicious content could be disguised as:

  • A PDF document
  • An invoice
  • A spreadsheet
  • A photograph
  • A software installer
  • A shortcut
  • A presentation
  • A compressed ZIP file

The file may appear to be legitimate until an employee opens it.

Once opened, it could attempt to install malware, steal passwords, encrypt files or provide an attacker with remote access to the computer.

The US Cybersecurity and Infrastructure Security Agency advises that attackers can use USB drives to transfer malware between computers and recommends caution when handling unknown removable media.

Can an infected computer compromise the USB stick?

The risk works in both directions.

An infected USB stick can compromise a computer, but an infected computer may also copy malicious files onto a previously safe USB stick.

The employee might then connect that drive to another device and unknowingly spread the infection.

For example:

  • An employee connects a business USB stick to a personal computer.
  • The personal computer is already infected.
  • Malware copies itself onto the USB stick.
  • The employee brings the drive back to work.
  • The drive is connected to a company computer.
  • The infection spreads into the business environment.

This is one reason company USB sticks should not be casually used on home computers, customer systems or other unmanaged equipment.

The business has no way of confirming whether those devices have current antivirus protection, security updates or an existing infection.

What about USB devices found in public places?

An employee should never connect a USB stick they have found in a car park, reception area, meeting room or other public location.

The drive may have been lost innocently, but it could also have been deliberately left where somebody is likely to find it.

Curiosity may encourage an employee to connect it to discover who owns it.

Unfortunately, connecting the device may be all that is required to begin an attack.

An unknown USB device should be handed to the IT or cyber security team without being connected to a business computer.

It should only be examined within a controlled and isolated environment by someone who understands the risk.

Can a USB device pretend to be something else?

Not every USB attack depends on a user opening a malicious document.

Some devices can identify themselves to the computer as a different type of peripheral, such as a keyboard.

The device may then rapidly enter commands as though somebody were typing them.

These commands could attempt to:

  • Download malware
  • Open PowerShell
  • Create an administrator account
  • Disable security controls
  • Connect to a malicious website
  • Copy sensitive information
  • Install remote-access software

The NCSC has specifically warned that a malicious USB device can emulate a trusted human-interface device, such as a keyboard, and carry out keystroke-injection attacks.

This means antivirus scanning the files on a USB drive does not necessarily protect against every type of malicious USB hardware.

How can USB sticks be used to steal information?

USB sticks are not only a route into a computer. They can also be used to take information out of the business.

An employee, contractor or attacker with access to a computer may be able to copy large quantities of data onto a removable drive within minutes.

This could include:

  • Customer databases
  • Employee records
  • Financial information
  • Business plans
  • Contracts
  • Intellectual property
  • Password documents
  • Product designs
  • Email exports
  • Confidential correspondence

The person copying the information may be acting maliciously, but data loss can also happen accidentally.

An employee might copy files onto a personal USB stick so they can work from home, without considering whether the device is encrypted or where the information will later be stored.

The NCSC identifies removable media as a common method of taking information from an organisation and recommends considering whether USB connection and insertion activity is being logged.

What happens if a USB stick is lost?

USB sticks are extremely easy to lose.

They may be:

  • Left in a laptop
  • Dropped in a car park
  • Forgotten in a meeting room
  • Left at a customer’s premises
  • Taken home by an employee
  • Lost while travelling
  • Accidentally thrown away
  • Stolen with a bag or laptop

If the drive is not encrypted, whoever finds it may be able to connect it to another computer and open the files.

A lost USB stick containing personal information could create a data-protection incident.

The business may then need to investigate:

  • Which information was stored
  • Whether the files were encrypted
  • Which individuals were affected
  • Whether the information has been accessed
  • Whether customers need to be informed
  • Whether the incident must be reported
  • How the loss occurred
  • What controls should be improved

It may be impossible to answer these questions if the business does not record which USB sticks are being used and what information is stored on them.

Why encryption is important

Encryption protects information by making it unreadable without the required password, key or authorised device.

If an encrypted USB stick is lost, the person who finds it should not be able to access its contents simply by connecting it to a computer.

Windows BitLocker can be used to encrypt compatible removable drives. Microsoft also supports policies that prevent users from writing information to removable media unless the device is encrypted.

Encryption considerably reduces the risk created by a lost USB stick, but it does not solve every problem.

The drive could still:

  • Become physically damaged
  • Contain malicious software
  • Be used to transfer unauthorised files
  • Be accessed if the password is weak or shared
  • Cause disruption if the business has no other copy of the data

Encryption should therefore be one part of a wider removable-media policy.

Is password protection the same as encryption?

Not always.

Some USB sticks include software that asks for a password before displaying the files. However, the strength of the protection depends on how that product has been designed.

A simple password prompt does not necessarily mean the underlying information has been strongly encrypted.

Businesses should use products with recognised hardware or software encryption rather than relying on an unknown password-protection application included with a low-cost drive.

The organisation should also have a controlled recovery process.

If the only employee who knows the password leaves the business, important information should not become permanently inaccessible.

Can deleted files be recovered from a USB stick?

Deleting a file does not always immediately remove the underlying data from the device.

In many cases, deletion removes the file’s visible reference while some or all of its contents remain on the storage media until they are overwritten.

Commercial recovery tools may therefore be able to retrieve previously deleted information.

The NCSC advises that storage media containing sensitive business information should be securely sanitised before it leaves the organisation’s control. It also warns that simply pressing the Delete key is not sufficient.

This is important when USB sticks are:

  • Reissued to another employee
  • Returned to a supplier
  • Donated
  • Sold
  • Recycled
  • Thrown away
  • Used for a different customer or project

The device should be securely erased or physically destroyed according to the sensitivity of the information it has held.

Could USB backups be dangerous?

USB drives and external hard drives are sometimes used for offline backups.

Keeping a backup separate from the main network can be useful, particularly as protection against ransomware.

However, the backup drive must actually be disconnected when it is not being used.

A USB backup drive that remains permanently connected to a computer may be accessible to malware or ransomware.

An attacker could potentially:

  • Encrypt the backup
  • Delete recovery copies
  • Corrupt the stored information
  • Copy confidential data
  • Use the device to spread malware
  • Prevent the backup from completing

USB backup drives should also be monitored and tested.

Copying files onto a removable drive is not a complete disaster-recovery strategy unless the business knows that the information can be successfully restored.

What is AutoPlay and why can it be risky?

AutoPlay is a feature that responds when removable media is connected to a computer.

Depending on the configuration, Windows may display options to open files, import content or launch an application.

Historically, automatically running content from removable media has been used to spread malware.

Modern versions of Windows include stronger protections, but businesses should still avoid allowing unknown removable media to automatically execute software.

CISA recommends disabling AutoPlay where appropriate to reduce the opportunity for malware to spread through removable devices.

Employees should also avoid selecting unexpected prompts simply because they appeared immediately after connecting a device.

As part of our IT Support, Hamilton Group follow an IT Security Baseline. This means we protect against Autoplay happening on devices without our knowledge.

Are new USB sticks automatically safe?

A newly purchased USB stick is generally less risky than an unknown or second-hand device, but it should not automatically be trusted.

Businesses should purchase removable media from reputable suppliers and avoid:

  • Unbranded promotional drives
  • Extremely low-cost devices from unknown sellers
  • Second-hand USB sticks
  • Devices supplied without packaging
  • Drives found in public areas
  • Personal USB sticks brought in by employees

A business-owned USB stick should be prepared before use.

This may include:

  • Recording its serial number
  • Assigning it to a named employee
  • Encrypting it
  • Scanning it
  • Applying an identifying label
  • Restricting its permitted use
  • Setting an expiry or review date

The device should remain the property of the business and be returned when no longer required.

Should employees use personal USB sticks?

Allowing employees to use their own USB sticks creates several difficulties.

The business may not know:

  • Where the device came from
  • Which computers it has previously connected to
  • Whether it is encrypted
  • Whether it contains malware
  • What business files have been copied onto it
  • Whether family members can access it
  • Whether it will be returned when the employee leaves
  • Whether old information has been securely deleted

For these reasons, personal USB sticks should normally be prohibited unless there is a documented and approved business requirement.

Where removable storage is necessary, the organisation should issue an approved and managed device.

Should businesses block USB storage completely?

Some organisations choose to block all removable storage.

This can be appropriate where:

  • Employees have no legitimate need to use USB sticks
  • The business handles highly confidential information
  • Devices operate in a sensitive or regulated environment
  • There is a serious risk of data theft
  • Cloud-based sharing methods are already available
  • Computers control manufacturing or operational equipment

The NCSC recommends restricting or disabling peripheral access where it is not required and educating users about the risks of connecting external devices.

However, blocking every USB port may be too restrictive for some organisations.

USB ports are also used for legitimate devices such as:

  • Keyboards
  • Mice
  • Headsets
  • Cameras
  • Printers
  • Smart-card readers
  • Security keys
  • Docking stations

The technical policy must therefore distinguish between USB storage and other approved peripherals.

What alternatives are there to a complete USB ban?

A business can introduce more targeted controls.

Allow only company-approved USB sticks

Every other removable storage device is blocked.

Approved drives can be identified through characteristics such as their serial number, device ID, manufacturer or product ID.

Make removable storage read-only

Employees can open approved files from a USB stick but cannot copy business information onto it.

This may be useful when information is regularly received from a customer or supplier.

Prevent files from running

Employees may be allowed to read documents but prevented from running executable files, scripts or software installers directly from removable media.

Allow USB use only for selected employees

Access can be limited to departments or named individuals with a genuine business requirement.

Allow only encrypted devices

The business can prevent users from writing files to USB storage unless the device is protected by approved encryption.

Block sensitive files

Data-loss-prevention controls can prevent files containing certain types of sensitive information from being copied to removable media.

Monitor USB activity

The organisation can record when devices are connected, who used them and whether access was allowed or blocked.

These options provide more flexibility than treating every USB connection in exactly the same way.

How can Microsoft Defender control USB devices?

Microsoft Defender for Endpoint includes device-control capabilities that can help organisations manage removable storage.

Depending on the policy and licensing, administrators can control access based on:

  • The specific device
  • The type of device
  • The user or group
  • Whether the user can read files
  • Whether the user can write files
  • Whether software can be executed
  • The device’s serial number
  • The device ID
  • The network location
  • The type of file

Microsoft states that Defender device control can provide granular policies and reporting for removable devices, with management available through Microsoft Intune or Group Policy.

This means a business could allow one company-issued encrypted USB stick while blocking every unapproved device.

Can Microsoft Intune block USB storage?

Microsoft Intune can be used to deploy and manage device-control policies across supported company computers.

A policy could be configured to:

  • Deny all removable storage
  • Allow approved USB sticks
  • Create read-only USB access
  • Allow access for specified users
  • Block unknown devices
  • Report connected USB hardware
  • Apply different policies to different departments

Microsoft’s current device-control guidance demonstrates a model in which removable media is blocked by default, authorised USB devices are exempted and selected devices are given read-only access.

Policies should be tested carefully before being applied to the entire business.

A poorly configured rule could block legitimate equipment or prevent an important process from working.

What is data-loss prevention?

Data-loss prevention, commonly shortened to DLP, is designed to identify and control sensitive information.

A DLP policy might identify:

  • Payment-card information
  • National Insurance numbers
  • Financial records
  • Health information
  • Confidential labels
  • Customer data
  • Internal project documents

Microsoft Purview Endpoint DLP can apply protective actions when sensitive information is used on managed devices.

Microsoft specifically supports using Endpoint DLP to prevent selected information from being copied to USB storage.

For example, an employee might be permitted to copy an ordinary presentation onto an approved drive but blocked from copying a spreadsheet containing customer financial information.

DLP is not a substitute for appropriate permissions and employee training, but it can provide another layer of control.

Why logging USB activity matters

A written rule stating that employees must not use personal USB sticks is useful, but the business should consider how it will know whether the rule is being followed.

USB logging can help identify:

  • Which devices are being connected
  • Which employee connected the device
  • Which computer was used
  • Whether the device was allowed or blocked
  • Whether a user attempted to write information
  • Repeated attempts to use unauthorised storage
  • USB use outside normal working hours

Microsoft Defender can record device-control activity and make information available through reporting and advanced hunting.

Logs still need to be reviewed.

Collecting information without anybody monitoring or investigating it provides limited protection.

How should employees transfer large files?

Businesses should provide an approved alternative so employees do not feel forced to use USB sticks.

Depending on the requirement, alternatives may include:

  • Microsoft SharePoint
  • Microsoft OneDrive
  • Secure file-transfer portals
  • Encrypted email
  • Customer upload portals
  • Managed cloud storage
  • Secure remote access
  • Microsoft Teams
  • Approved guest-sharing links

These services can provide advantages such as:

  • Access controls
  • Expiry dates
  • Audit logs
  • Version history
  • Remote access removal
  • Encryption
  • Multifactor authentication
  • Reduced reliance on physical devices

Sharing links should still be configured carefully.

An unrestricted public link may create a different type of data-loss risk.

What should employees do if they find a USB stick?

Employees should be instructed to:

  • Do not connect it to any computer.
  • Hand it to the IT or cyber security team.
  • Explain where and when it was found.
  • Avoid attempting to identify the owner themselves.
  • Do not take it home or connect it to a personal device.

The IT team can then decide whether the device should be securely examined, retained as potential evidence or destroyed.

There should be no assumption that a device is safe because it has a company logo or someone’s name written on it.

Labels can be added to malicious devices to make them appear trustworthy.

What should you do after connecting a suspicious USB stick?

If an employee has connected an unknown or suspicious device, they should report it immediately.

They should not attempt to conceal the mistake or continue opening files.

Depending on what happened, the IT team may need to:

  • Disconnect the computer from the network#
  • Isolate it through endpoint security
  • Scan the device
  • Review running processes
  • Check security logs
  • Reset affected passwords
  • Look for unauthorised software
  • Review access to business information
  • Examine other computers
  • Preserve evidence
  • Begin the incident-response process

The required response will depend on whether the USB stick was merely connected or whether files and programs were opened.

Fast reporting gives the IT team a better opportunity to investigate and contain a potential infection.

The NCSC’s malware guidance emphasises taking action to reduce both the spread and impact of malicious software across an organisation.

What should be included in a removable-media policy?

A removable-media policy should be clear enough for employees to understand.

It may cover:

  • Whether USB sticks are permitted
  • Who can approve their use
  • Whether personal devices are prohibited
  • Which company-issued drives are approved
  • What information can be stored
  • When encryption is required
  • Whether devices can be used on home computers
  • How USB sticks should be transported
  • How lost devices must be reported
  • How files should be scanned
  • How devices are returned
  • How media is securely erased or destroyed
  • What happens when the policy is not followed

The policy should also cover other removable devices, such as:

  • External hard drives
  • SD cards
  • Mobile phones
  • Cameras
  • Portable media players
  • Writable CDs and DVDs

A smartphone connected by USB may also provide removable storage or another route for transferring information.

How should approved USB sticks be managed?

Where USB sticks remain necessary, a sensible process could include:

  • Purchasing devices from an approved supplier.
  • Recording the make, model and serial number.
  • Assigning each drive to a named employee.
  • Encrypting the device before use.
  • Applying a strong recovery process.
  • Restricting access through Microsoft Defender or Intune.
  • Scanning files before they are opened.
  • Preventing use on unmanaged personal computers.
  • Keeping another copy of important information.
  • Reviewing who still needs USB access.
  • Securely sanitising the drive before reassignment.
  • Destroying it securely when it reaches the end of its life.

Access should be based on a genuine business need rather than being enabled for every employee by default.

Common USB security mistakes

Some of the most common mistakes include:

  • Allowing any employee to use any USB stick
  • Using personal drives for company information
  • Failing to encrypt sensitive data
  • Leaving backup drives permanently connected
  • Opening files from unknown devices
  • Reusing promotional USB sticks
  • Not recording lost removable media
  • Assuming antivirus will detect every USB attack
  • Failing to monitor USB connection events
  • Keeping old customer information on forgotten drives
  • Throwing USB sticks away without securely erasing them
  • Blocking USB storage without providing a safe alternative
  • Allowing employees to connect company drives to home computers

These issues can normally be reduced through a combination of policy, training and technical controls.

Are USB sticks too dangerous for business use?

USB sticks are not automatically unsafe.

A company-owned, encrypted and centrally controlled USB stick may be appropriate for a specific business process.

The risk comes from uncontrolled use.

A business should not be in a position where:

  • Any device can be connected
  • Any information can be copied
  • Nobody knows which drives exist
  • Lost devices are not reported
  • Personal USB sticks are routinely used
  • Security events are not monitored
  • Old drives are discarded without being erased

Where there is no genuine requirement, USB storage should be blocked.

Where it is required, access should be limited to approved people and approved encrypted devices.

How can Hamilton Group help?

At Hamilton Group, we can help your business control the use of USB sticks and other removable devices.

We can assist with:

  • Microsoft Defender device control
  • Microsoft Intune policies
  • Blocking unauthorised USB storage
  • Approving specific company USB devices
  • Read-only removable-media access
  • BitLocker encryption
  • Microsoft Purview data-loss prevention
  • USB activity monitoring
  • Endpoint security
  • Malware and ransomware protection
  • Employee cyber security training
  • Removable-media policies
  • Data-protection reviews
  • Secure media disposa
  • Cyber Essentials preparation

We can review which USB devices are currently being used, identify unmanaged removable storage and recommend a policy that reflects how your business operates.

This may involve blocking USB storage completely, allowing only approved encrypted drives or preventing sensitive files from being copied.

A USB stick may be small, but the information and malicious software it can carry can have a significant impact on your organisation.

Contact Hamilton Group to discuss how device control can help protect your computers, employees and business information.

Call us on 0330 043 0069 or book an appointment with one of our experts.