Portable devices like USB may give users convenient access to business and personal data on the go, however the associated risk is high. The properties that make these devices portable and hosts also make them vulnerable to losses of physical control and network security breaches. Using portable devices like USB or any other can increase the risk of data loss (when a physical device is lost), data exposure (when sensitive data is exposed to the public), and increased exposure to network-based attacks to and from any system the device is connected to (both directly and via networks over the internet).

What are the risks of using a USB device?

The use of USB to transfer files may potentially cause many problems for a user or an organization. 25 percent of malwares are spread today through USB devices. These devices may contain malware that you copy unknowingly or that gets launched automatically by the autorun feature of your PC. And attacks are growing even more sophisticated and hard to detect as the attackers use high-tech circuit boards inserted in keyboards and mouse devices to launch malicious code.

Once malware infects the PC to steal or corrupt the data, it will spread to other PCs in the network. Now it is an easy way for an attacker to quickly propagate malware by passing it across all PCs that the device connects to. Because these storage devices can install malware inside of any firewalls set up on your PC or network, you might not detect the malware until the major damage has been done. USB devices can also give malicious insiders the opportunity to steal data because the devices are easy to hide and their use is hard to track.

Smart devices also have the potential to infect the PC or network when downloading applications containing malware or viruses. Those are used by a large population, emphasis on usability and immature security tools make them ripe for malware attacks. Also, the potential for irreparable data exposure or loss arises from practices commonly used for storing sensitive data on smart devices.

Size is another potential risk with portable devices, and it can be lost easily once you leave it at the Cafe or cab. Losing sensitive or company’s confidential data could lead to non-compliance action against you.

Ways to Minimize Risks

Here are some suggested strategies for reducing the risks associated with portable devices, which can be used by individuals or organizations.

Best Practices for Portable Storage Media without Wi-Fi capability, such as USB, CDs, and music players

• Install anti-virus software, antispyware solution and set up firewall on your PC that will scan any device that connects via a peripheral port. Enable updates to receive notifications for up to date security patches.
• Using USB drive that has an onboard anti-virus capability will automatically scan both the drive and any computer you plug it into.
• Do not connect an unknown USB or any media device to the PC.  
• It is better to use personal and official data separately. Stay away from plugging personal media player into work PC or work USB into personal PC to avoid risk.
• Strong encryption, such as AES 128/256 bit, can be used to protect all confidential data stored on USBs, CDs, and DVDs. Often, make sure you have a backup copy in a safe location.
• After transferring sensitive data from a USB drive, be sure to delete it using a secure delete utility.

Recommended Practices for Portable Smart Devices

Best practices while using smart devices such as tablets, music players with Wi-Fi capability, and e-readers:

• Protect the device using a strong password or PIN and change it periodically. Also, setup an idle timeout that will automatically lock the device when you’re not using it.
• Make sure to download applications, games, and music only from trusted sources and be aware of what features these applications have access to on the device. Avoid downloading applications that do not show this information.
• Scan the device regularly for malware by using anti-malware software. Take necessary action when it detects suspicious applications. Also setting up firewall will filter inbound and outbound traffic and blocks any malicious software.
• Avoid jailbreaking the device. Jailbreaking can make a device more vulnerable because it removes the limitations imposed on it by the manufacturer through third-party software.
• Track the location of your device with GPS functionality on your device if you lose it.
• If you don’t fully trust the Wi-Fi you are connected to (e.g., where you may trust the access point, but are not necessarily the other users on that network), make sure to encrypt your home network, use a VPN, or otherwise ensure your data is encrypted.
• Use Bluetooth in “non-discoverable” mode to make the device invisible to unauthenticated devices.
• To erase all data from the device if you lose it, enable the remote wiping feature if available

Recommended Organizational Practices for All Portable Devices

Best practices for organizations to follow for managing all types of portable devices:

• Only use removable media that is approved by the organization’s security system. Almost many companies have established security policies for all type of portable medica devices, and it detects to requests for acknowledgement whenever the user connects the device to the PC.
• Organization must allow support to few devices only and consider their security features and vulnerabilities.
• Secure VPN connection must be made the only option to connect to the organizations network.
• Personal, portable media devices must be banned from the workplace, as they cant be monitored by the organization.
• Consider the benefits of distributing corporate-controlled devices over allowing the employees to use their personal devices for work.
• Employees must be trained on the importance of using strong passwords and PINs and to change them periodically, and to report missing devices immediately so they can be wiped of all data.
• Consider keeping a track of mobile devices that are being used by the employees that may carry sensitive company information and auditing it on a regular basis.

Using portable devices has both benefits and drawbacks, but if you follow the best practices mentioned above, you can minimize or at least reduce the risks. Always considering security features, possible vulnerabilities, and ways they could be targeted by malicious attackers, whenever you get new device from the market.

Reference

https://us-cert.cisa.gov/sites/default/files/publications/RisksOfPortableDevices.pdf