In an effort to minimise the risk of ‘financial and reputational damage’ through misplaced or misused data, IBM has prohibited the use of removable storage devices by its employees – a move that might prove troublesome for some, but can also provide a plethora of clear benefits to the employer.

Shamla Naidoo, IBM’s global chief information security officer, said the company ‘is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive)’. This policy will cause some level of frustration for many employees who are used to using these portable storage mediums to move data from machine to machine, or to enable them to work from the comfort of their own homes. From the employer’s standpoint however, this blanket ban on removable storage will help mitigate the chances of company data being stolen/misplaced, either purposely or accidentally, and also has the added benefit of limiting the potential spread of malware that utilises removable storage as a method of propagation.

Banning the use of removable storage mediums also reduces the chances of a company being hacked through the tried-and-tested method of strategically dropping malicious USBs into the carpark of a target business and awaiting a user to plug in the device. In a 2016 real-world study conducted at the University of Illinois, of 300 malicious USB devices dropped in a carpark, a staggering 48% were connected, and malicious files executed by a user. With this clear network security risk, the banning of all USB devices will help to limit this otherwise-common issue.

From a forensic standpoint, investigation into USB devices, and the transfer of data to and from these devices, is not as simple as many believe. Windows and Macintosh systems have no log on transfers from one location to another, but a evidential artefact known as LNK files can prove access to particular locations and files. This can often build up a narrative where the user can be seen plugging in and accessing a USB storage device, subsequently opening up a network share where confidential data is kept. Seconds later, once the transfer is complete, the user will usually open the file from the USB drive to ensure they have correctly copied the data that they need. Each stage of this process leaves a trace that can be built up to show a clear timeline of the user’s actions, and is adequate evidence of the theft of a file or folder.

We have seen many cases where the use of unauthorised USB devices has proven to be key to the case at hand; often this method of data exfiltration is the first choice by many, simply because it involves the least technical skill, is believed to be the most discreet, and can be kept on their person throughout the process. Cases where whole client databases were copied, where a few key files have been taken, or where programmers have taken code that they believe to be their own property are all example cases that IT Group has worked on. Typically, this evidence is fairly clear-cut, with USB transfers being a relatively routine investigation that can be executed quickly.

These measures could be of particular value to a law firm, partly due to the reduced chance of network security risks, but also because they reduce the chance of accidental loss of company or client data. USB storage devices are infamous for getting lost, left on the bus, wedged down the side of the sofa, falling out of pockets etc. Any of these scenarios could lead to a third party plugging in this USB drive and gaining access to potentially private and confidential data.

Many companies will feel that a blanket ban on these devices is a step too far and will cause too many issues for their employees. As an alternative, looking into the use of encrypted USB devices is the only effective stop-gap measure.