Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+

Are USB ports the Achilles heel of your network security?

on December 23, 2010

More and more businesses are implementing security measures to protect their networks. Antivirus software, anti-spam, email filtering and web filtering products are essential tools for every IT administrator.

However, as the focus on external threats increases, very often businesses tend to forget that there are dangers much, much closer to home – and recent research provides ample reason to be concerned. Statistics show, for example, that 48% of employees admit they would take company information with them if they are fired and 39% would download company information if they found that their job was at risk.

This is not the only reason why businesses need to turn their attention to what’s happening within their organization. Data theft, as explained below, is a primary risk but uncontrolled use of USB ports opens a door to other threats that can be equally damaging to an organization.

1. Data theft

Data theft is a serious problem for SMEs as data stolen by insiders (who typically should not come under suspicion) could not only be used for extortion and blackmail but it could also be sold to competitors. Employees sensing redundancies or disgruntled at their employer will not think twice about taking what they believe is theirs or deliberately causing damage to the network by uploading malware or other programs that could be used to gain access in future. There is nothing stopping an angry employee with good IT knowledge from infecting the network with keyloggers or something more destructive.

2. Introduction of malware

Following the previous point, USB ports could be inadvertently the source of an infection when employees connect portable devices to the network. USB memory sticks, smart phones and so on are excellent vehicles for malware transmission. The infamous Conficker is believed to have used the Autorun functionality in USB drives to get around. Non-company approved portable devices are always a risk unless proper preventive measures are in place.

3. Productivity loss

Employees using their portable devices via USB ports may be using their office machine for other purposes than work. They may be working on personal stuff, copying or downloading files using the corporate network and storing them on their device or even copying unauthorized software. While constituting a security risk, they are also wasting considerable time and company resources.

4. Legal liability issues

If confidential information is lost and/or if employees introduce illicit material such as pirated material to the corporate network via their USB devices, the business could face legal action and substantial fines. Liabilities vary depending on the country; however fines can be very high, impacting the corporation’s assets significantly. In the UK, for example, the Information Commissioner can impose fines of up to £500,000 if a company lost data through negligence.

How can you prevent these risks?

Blocking USB ports is not the correct approach although some organizations may be tempted to do so. Businesses, though, will admit that the use of portable devices on the network is often required and so a balance between security and productivity is needed. This can be achieved through the use of device control and data leakage prevention software that allows an administrator to monitor and comprehensively control what devices are connected to the network and what files can be copied to or off the network. Such a solution should also allow the administrator to let certain employees transfer specific files while stopping others from doing so, for example restricting the use of identified USB devices to senior executives or only allowing specific, company-approved devices to be used.
Controlling the use of USB ports is an additional layer of protection that reduces security breaches considerably, but does not hamper productivity or the need for flexibility within the business.

About the Author:

Christina is Web Marketing Content Specialist at GFI Software. She is a keen blogger and has contributed content to several IT sites, besides working as an editor and regular contributor to Talk Tech to Me. Christina also writes for various publications including the Times of Malta and its technology supplement.

Leonard December 27, 20107:04 am

Just to be clear, I’m not knocking on the usefulness of these USB security articles, but I firmly believe that USB interfacing is outdated technology as far as data transferring goes. Surely it’s the mainstream method of remotely transferring data, but it doesn’t make it the best. USB 2.0 is horridly slow for today’s needs, and though USB 3.0 is coming out on higher end motherboards, it’s still a long ways away from taking the place of its cumbersome older brother.

Tom Clark December 28, 20106:53 am

We’ve actually found flash drives so utterly problematic to our systems that certain departments in our company are completely disallowed from using USB storage devices as means of storing, transferring and sharing files. It’s seems a bit fascist, I know, but after trying everything from educating workers on proper security practices to limiting USB use, we realized this was the best option. Now, all files must be shared, transferred and acquired through the internet or the company intranet.

Trisha Hill December 28, 20107:04 am

I definitely agree that that blocking of USB ports is not the way to deal with potential security vulnerabilities. Not only are you taking away a mainstream form of data access from your company, but you’re allowing security threats to disable a potentially critical part of your work flow. If you shut down one system in hopes of staving the advance of a threat, that threat has already (like it or not) succeeded.

nelson chadwick January 3, 20111:10 am

Data theft seems to be a bigger problem than most SME managers realize. And though the idea of stealing confidential company information when you’re job’s in jeopardy is always a good joke tossed around in after hours conversation, I honestly didn’t figure it would be as high as 39%: even higher apparently if you’ve already been fired. It now looks as if companies (of any size) need to reevaluate their data management and access policies.

Benny January 3, 20111:21 am

Wouldn’t data theft also be a (probably even bigger) problem for larger businesses and not only SMEs? If there’s anything I learned from system’s management, the bigger more complicated the system, the more difficult it’ll be to secure, manage and monitor. With more vulnerabilities to account for, I’d expect a large company to easily fall prey to internal data theft. But the question is, since we hear so little about it, how do they get around it?