Are USB ports the Achilles heel of your network security?
More and more businesses are implementing security measures to protect their networks. Antivirus software, anti-spam, email filtering and web filtering products are essential tools for every IT administrator.
However, as the focus on external threats increases, very often businesses tend to forget that there are dangers much, much closer to home – and recent research provides ample reason to be concerned. Statistics show, for example, that 48% of employees admit they would take company information with them if they are fired and 39% would download company information if they found that their job was at risk.
This is not the only reason why businesses need to turn their attention to what’s happening within their organization. Data theft, as explained below, is a primary risk but uncontrolled use of USB ports opens a door to other threats that can be equally damaging to an organization.
1. Data theft
Data theft is a serious problem for SMEs as data stolen by insiders (who typically should not come under suspicion) could not only be used for extortion and blackmail but it could also be sold to competitors. Employees sensing redundancies or disgruntled at their employer will not think twice about taking what they believe is theirs or deliberately causing damage to the network by uploading malware or other programs that could be used to gain access in future. There is nothing stopping an angry employee with good IT knowledge from infecting the network with keyloggers or something more destructive.
2. Introduction of malware
Following the previous point, USB ports could be inadvertently the source of an infection when employees connect portable devices to the network. USB memory sticks, smart phones and so on are excellent vehicles for malware transmission. The infamous Conficker is believed to have used the Autorun functionality in USB drives to get around. Non-company approved portable devices are always a risk unless proper preventive measures are in place.
3. Productivity loss
Employees using their portable devices via USB ports may be using their office machine for other purposes than work. They may be working on personal stuff, copying or downloading files using the corporate network and storing them on their device or even copying unauthorized software. While constituting a security risk, they are also wasting considerable time and company resources.
4. Legal liability issues
If confidential information is lost and/or if employees introduce illicit material such as pirated material to the corporate network via their USB devices, the business could face legal action and substantial fines. Liabilities vary depending on the country; however fines can be very high, impacting the corporation’s assets significantly. In the UK, for example, the Information Commissioner can impose fines of up to £500,000 if a company lost data through negligence.
How can you prevent these risks?
Blocking USB ports is not the correct approach although some organizations may be tempted to do so. Businesses, though, will admit that the use of portable devices on the network is often required and so a balance between security and productivity is needed. This can be achieved through the use of device control and data leakage prevention software that allows an administrator to monitor and comprehensively control what devices are connected to the network and what files can be copied to or off the network. Such a solution should also allow the administrator to let certain employees transfer specific files while stopping others from doing so, for example restricting the use of identified USB devices to senior executives or only allowing specific, company-approved devices to be used.
Controlling the use of USB ports is an additional layer of protection that reduces security breaches considerably, but does not hamper productivity or the need for flexibility within the business.