Managing the risks of removable media

Removable media has been a staple of modern day computing for decades. While it has evolved in many ways, with a heightened awareness of cyber security risks and data protection across the computing sector, it’s more important than ever to make sure removable media is used in a safe and protected way.

What is removable media?

Whether you’re familiar with what removable media means or not, chances are you have used it at some point, either personally or professionally.

Removable media is all physical items and devices that can carry and transfer electronic information and data by being plugged in or inserted into another device. One of the earliest forms of removable media was floppy disks which are no longer in use, but continue to live on as the ‘Save’ icon in the Microsoft Office package. 

Today, removable media devices in popular use include USB sticks like flash drives and thumb drives, storage devices such as external hard drives, memory cards and SD cards, hard disk drives, CD-ROMs, and DVDs and Blu-ray Discs. 

It can also encompass mobile devices and digital cameras, as both can be plugged into a computer to transfer data.

The risks of using removable media

There are two main risks of using removable media. Though the small size and portability of many of these devices may seem like a positive, if they are lost then so is the data and information they hold. 

If removable media devices are used for work purposes and hold sensitive information, the results of a loss can be catastrophic. There have been many high-profile cases of companies losing or accidentally leaking sensitive data, and in many cases this data loss has come at a high price, both in reputational damage and financial loss.

Another security risk in the use of removable media, is the introduction of malware from one device to another. In some cases this may be accidental, indeed most cyber security attacks are a result of human error, and malware can be transferred from a personal computer to a work computer via a USB stick without realising a virus was present.

However, attackers often use removable media devices and memory sticks to infect computer systems, using a popular form of social engineering known as ‘baiting’. This is when a malware-infected device is left in a busy, public place for someone to find. Human curiosity means the finder then plugs that device into their own machine, and the malware infects the entire network, stealing personal and sensitive information.

When a malware or ransomware scam is committed on the computer of an organisation, it can have severe consequences. The malware can affect as many machines that are connected to the company network, and can cross borders if the company is a global operation.

A well-known example of a baiting attack happened in 2010 when a USB stick was infected with a malware worm called Stuxnet that was used to gain access to computers in an Iranian uranium enrichment facility. Its rapid ability to spread through the network resulted in it infecting computers in 155 countries worldwide and caused hardware to self-destruct. Since this attack, other groups have modified the virus and used it to target water treatment plants, power plants, and gas lines.

How can you protect against removable media risks?

Many companies now have a security policy that restricts the use of these devices, for example, IBM has reportedly banned the use of removable media entirely. 

If the use of removable media is absolutely necessary, the best way to prevent data loss is to only plug trusted sources of removable media into your computer.

To prevent malware attacks, ensuring anti-malware and anti-virus software has been installed, run, and updated regularly on all connected machines can prevent attacks and enable a level of data protection when using removable media devices, and if plugging a USB flash drive into a computer, it’s important to ensure that the machine does not have auto-run features enabled. Auto-run features will automatically run whatever programs are installed on the removable media device once it is plugged in, and if the device has malware installed having this feature enabled will mean you are unable to prevent the malware from spreading between devices.

Limiting copying files to removable media unless absolutely necessary or unless it has been authorised is a good way of adding security controls and data protection within organisations, and scanning any media for malware before being transferred between devices can prevent attacks.

In the case of a lost device, for further information security, many removable storage and removable media devices will have the option of applying password protection. To restrict access and for tighter security controls on any information being transported to outside sources, strong passwords will eliminate the threat in the case of a device being lost or stolen. Any information held on a removable storage device should also be encrypted for an extra layer of protection.

Within organisations, having a policy where employees are required to report missing devices if they are lost and ensuring any removable media that isn’t in use is locked away securely can protect against any risks.

Become an expert in cyber security

Cybercrime is constantly evolving, and so the need for cyber security skills has risen exponentially across many sectors. In fact, it has been estimated that in 2021 there may be up to 3.5 million unfilled cyber security roles (New York Times, 2018).

Whether or not you have a computer science background, the North Wales Management School’s MBA Cyber Security will give you the skills and knowledge you need to succeed in this highly sought-after field.

The in-depth course covers cyber security topics including security and risk management in a digital environment and cyber security for digital businesses, alongside key business topics such as creative change and innovation which will help to propel your career forward.

With six starts a year you can begin within weeks, and as the course is studied part-time you can apply what you learn to your current role as you continue to earn.