(Updated on 02/24/2021)
Last week in our Coachable Moments series, we covered how to train employees to prevent data exfiltration from outdated technologies, including USB drives. But how do you determine which USB policy is most effective for your team members? Let’s take a look at three different cybersecurity policy levels and why you would choose them to reduce insider threat risk, ranked from most to least restrictive.
Full Lockdown: Banning USB Devices
For some teams, it may make sense to fully block or disable USB ports to stop the use of these devices altogether. USBs are still one of the most common data exfiltration methods insider threats use today, even though the technology is a few decades old. If your organization is in a highly regulated industry, or stores extremely sensitive customer data, this option may be best for your regulatory compliance needs.
This level of policy change would require a clear explanation as to why these devices are no longer permitted in the organization, including details on other possible storage methods.
At the time of new user onboarding, inform users that USB devices are not permitted, and provide alternatives for secure local or cloud storage. If your team decides to use cloud storage options, it’s equally important that each user understands how to protect their account security by using strong passwords and multi-factor authentication.
In terms of disabling USB ports in users’ machines, this article gives step-by-step instructions on how to block them for Windows, Mac, and Linux devices. Some newer Mac laptops are shipping without USB ports, so if your team uses these machines for work, you may be able to avoid this step altogether.
Mid-Level Restrictions: Limiting USB Usage
In many organizations, it is not practical to completely restrict the use of USB devices. Overly restrictive cybersecurity policies can sometimes prevent employees from doing their jobs in a timely manner (not to mention, they can extremely frustrating). What’s worse, some users will do their best to circumvent restrictive IT policies, which can put their organizations at even more risk of accidental or malicious insider threat in the process.
If you have a specific subset of employees who must use USB drives on a regular basis, your cybersecurity team should provide this privilege to a limited number of users, while blocking USB ports on all other machines. Or, your team may choose to lay out the data access rules for employees in a clearly defined cybersecurity policy. For example, employees that are regularly traveling or working remotely should access corporate servers using a secure VPN, rather than USB drives.
While it may seem like a no-brainer to cybersecurity professionals, many employees don’t understand the risks of USB drives (including the reasons that they’re easy to lose, and sometimes contain dangerous malware). In most cases, removing this margin for error is best, but if users are vigilant about the origins of their USB drives, they can be taught to use them securely.
Free Reign: Anyone Can Use USB Drives
If your organization rarely uses USB drives, or has not experienced cybersecurity issues from these devices, it may make sense to allow their use. However, we would caution that without the right protections in place, data exfiltration incidents with USBs could easily happen to any organization.
A liberal USB policy should absolutely be accompanied by significant user coaching on how to securely use these devices. In addition, user and data activity monitoring software like Proofpoint ITM can help alleviate insider threat concerns. Using a tool like Proofpoint ITM, cybersecurity teams can prevent data exfiltration through USB drives with real-time alerts, as well as in-depth investigation capabilities to provide context into a potential insider threat incident (whether malicious or accidental).
Know Your Users
Regardless of where you currently stand on your USB policy, it’s important to know your users and ensure that the right tools are in place for them to be both productive and secure. The best way to achieve this goal is to have a regular dialogue with users where they feel comfortable asking questions, or requesting the use of certain software or devices. In-the-moment coaching, paired with regular training sessions, can create this healthy culture of cybersecurity awareness with your team.