USB flash drives are a great business tool – with a few risks to keep in mind.
The thumb-sized (or smaller) USB flash drive is a marvellous development in miniaturization that has revolutionized portable file storage. Fast, small, affordable and convenient, the flash drive has become indispensable. Flash drives have become so ubiquitous, they are frequently handed out as corporate-logo-embossed key fobs loaded with marketing and promotional material that can easily be reviewed by clients.
It all started in the mid 1980s when Toshiba developed the NAND flash memory that morphed into the USB flash drives we use today. The first commercial drives sold in the year 2000 held eight megabytes (MB), but within two years they had reached an astounding 64 MB. Today, a flash drive with storage of one terabyte (TB) is available, if you have the cash — a one-TB flash drive currently costs about $1,200.
The ability to store endless amounts of data so easily has resulted in the proliferation of USB flash drives (approximately 80 million are sold each year). Along with this extreme convenience and utility, however, comes an unprecedented threat to personal security.
Why Security Is an Issue
- Drives are small and subject to loss or misplacement. Most do not have access codes and thus, once found, can be downloaded by anyone.
- The loss (or theft) of company data such as employee names, addresses, birthdates, social insurance numbers, family-member information and bank information on an unencrypted flash drive could have serious consequences.
- Cyber criminals are starting to write viruses and worms that can penetrate the drives through the USB port. Once the bug is on the drive, the malware eventually finds its way to the host computer. If the computer is connected to a network, the entire system could be compromised.
- Discipline is required to ensure that USB flash drives do not compromise company data.
Most owner-managed businesses will not be a target of cyber-attack. Nevertheless, protocols should be in place to reduce the chance of loss or the compromising of important information that is transferred to USB flash drives at the end of every working day. The following practices will reduce risks:
- Staff should be provided with corporate USB flash drives. Personal flash drives should never be used on corporate computers.
- All USB flash drives should be scanned for viruses, even within the same office, before the data is transferred from the flash drive to the host computer.
- All USB flash drives should have the staff member’s name and telephone number written onto them. If that is not possible, ensure the flash drive is attached to a lanyard or key-chain tag with the name of the user. If possible, a telephone number in indelible ink should be written on the tag so it can be returned to the owner if lost.
- Instill the habit of returning the flash drive to a specific location as soon as data has been transferred; a drive left on your desk — even for a short time — may be accidentally picked up by a co-worker, cleaning staff, dropped into the trash, or placed in a client file.
- Just as staff should never leave paper with confidential information on their desk at the end of the day, so USB flash drives should also be secured.
- Employees should know they have a responsibility for security of the flash drives and the data they contain. They must understand the harm that may be done through loss of confidential corporate information.
- Ensure your IT administrator uses a mandatory scan to parse sensitive data to prevent copying.
- Use encryption. Encryption programs may be purchased separately or you may use software included with your operating system, such as Windows Bit Locker, to encrypt your files. Encryption software may be configurable to enforce your IT policies. Be sure to research the software before purchase to ensure the software package can accommodate the level of security your company requires.
- Purchase USB flash drives that have built-in security features such as encryption and authentication (e.g., a password or fingerprint). Advise employees that company-issued flash drives should only be used to store the company’s information, and are not for personal use.
- Do not permit any apps or programs, regardless of how helpful they may appear, to be downloaded from any source until they are reviewed and approved.
- Never plug in a device with an unknown origin.
Even if it is not possible to stop the most malicious of attacks, most owner-operated businesses are probably not likely targets of hackers and malware-encoded USB flash drives. It is more likely that a small- to medium-sized company would be compromised internally by some failure to follow good security practices. For the majority of owner-operated ventures, keeping computers upgraded with the latest security patches, web-filtering and anti-virus software will isolate and quarantine most attacks that result from not following the rules. If you are able to balance your security needs with the ability to conduct your business, then you can embrace the convenience and versatility of the USB flash drive in your day-to-day operations.
The information provided on this page is intended to provide general information. The information does not take into account your personal situation and is not intended to be used without consultation from accounting and financial professionals. Allan Madan and Madan Chartered Accountant will not be held liable for any problems that arise from the usage of the information provided on this page.