A USB drive is such a handy, inexpensive way to transport information that technology research analyst Gartner estimates 222 million USB devices shipped last year. But in some instances, those devices transport trouble as well.
Small businesses in particular are paying a price for the convenience of using USB drives. As we grow more savvy to malicious attacks via e-mail and other avenues, cybercriminals are turning to USB drives to distribute malware. According to research by Panda Security, a whopping 25 percent of malware today is developed to disseminate through USB devices. The top two threats in security provider BitDefender's most recent E-Threats report are spread through USB drives.
"Just these two viruses account for 17 percent of the total number of malware apps in the world," says Catalin Cosoi, head the Online Threats Lab for BitDefender. BitDefender is also seeing new samples of malware distributed via USB drive. "Most hackers are lazy and don't want to spend hours and hours trying to hack secured computers," Cosoi explains. "If they can attack an easy target with just a few clicks, they will do that. Spreading malware through USB devices is just as easy as it sounds."
Why you might be vulnerable
The risk posed by malware-infected USB drives isn't limited to small and mid-sized businesses. IBM apologized after distributing infected drives at an Australian security conference earlier this year. However, experts say small businesses are vulnerable because of these factors:
- Older operating systems. Windows Vista and Windows 7 offer much more protection against infected USB drives, notes Tim Armstrong, a malware analyst with security vendor Kapersky Labs. However, Windows XP remains the most-used operating system worldwide, and the malware exploits the "AutoRun" feature for removable media. Stick a USB drive into the port on a Windows XP machine, and you may find your every keystroke logged and sensitive business files distributed to servers halfway around the world. Even if your company has upgraded its operating system, your employee might be working at home on Windows XP.
- A lack of security know-how. Smaller businesses are less likely to have dedicated IT personnel or to have policies in place to combat risky USB use. For instance, Good Samaritans in your company may be inclined to pick up a drive found in the parking lot, then insert it into their work computer to see if they can find the drive's owner. "Somebody could write a script on that drive that goes and searches for your sales database and contact list," says Rich Baich, principal for security and privacy at Deloitte & Touche LLP.
- Alternative ways to share information. It may be easier for a small company to rely on USB drives than to take the time and resources to develop other solutions, such as working in the cloud.
How to protect your business
You can't afford to ignore this threat, say security experts. However, there are smart steps you can take to insulate your business from the risks posed by malware-infected USB devices. These steps are essential:
- Maintain up-to-date security solutions. Make sure your security is up to date on all computers attached to your business, and enable Windows updates. Consider an endpoint security solution that can prevent USB drives from being recognized
- Disable AutoRun. Countless online tutorials detail how to disable AutoRun. To temporarily disable AutoRun, hold down the shift key as you insert a USB drive.
- Maintain a dedicated computer. If your business is small enough that it's practical to keep all critical information on one computer, consider doing so, says Baich. Then, don't ever insert USB devices into that computer. "Keep it very clean. Don't go surfing websites, use it only for business functions," he advises.
- Update your operating system. Lessen your risk by using a more recent version of Windows or another operating system.
- Use security-protected devices. "Although USB drives are a major culprit for spreading malware, they have also evolved tremendously over the years," says Cosoi. "Some brands have built-in security software, which makes them safer. Look for these USB drives, and use them exclusively."
- Educate your employees. In most cases, your employees are going to find the simplest, most convenient way to get their jobs done. It's up to you to provide a means for them to move information when necessary and to outline the risks involved with USB drive use. Even posting a sign telling workers not to use unknown USB devices is likely to help. However, establishing a usage policy is your best protection. Parameters might include never running personal USB drives on work computers or business drives on home computers and passing along "found" drives to a designated employee, who can safely scan the devices.
- Consider alternatives. "It's almost time to move away from USB sticks to cloud-based solutions," Armstrong says. Break the USB habit by offering alternatives for file-sharing and storage, but make sure you have employee buy-in, say experts.
"Companies should take this issue very seriously," cautions Cosoi. "At BitDefender, we think USB-transmitted malware is more dangerous than e-mail or other ways of propagating malware."