A Coup and a Theft: Why MSPs Can’t Let Clients Get Lax About USB Security
… insider threats and the risks that USB devices represent. In my experience, these cases come down to business leaders saying, “I trust my people,” while being dangerously naïve about what those people are actually capable of. It’s a matter of trust until that trust is broken, and the school of hard knocks teaches them a rough lesson.
In both of the incidents I mentioned, the clients signed up for USB protection immediately after. The need to lock down and enforce encryption on USB drives is often a wide-open gap that clients overlook. It falls to us MSPs to ensure that gap is secured, and that clients don’t have to learn about USB risks the hard way.
Employee Monitoring, with Warnings
Employee monitoring software can also provide strong deterrents against copying company files to a USB. If they try to do so, solutions will present the employee with a pop-up, warning them that copying files to a USB drive is against company policy and that their activity is monitored. At that point the defiance is clear if employees proceed — there’s no room for them to argue that they thought what they were doing was allowed.
The USB Malware Vector
USB drives present an inviting vector for malware as well. It’s a common pen test to drop a few hundred USBs in parking lots, label files something intriguing like “modeling photos” or “4th quarter financials,” and include software able to call home to determine how many drives get picked up and plugged in. In these tests, this attack method has a 45%-98% success rate.
As part of an employee training regimen, security providers can run such tests on a business’ campus and even display which employees plugged found USB devices into what machines. It makes sense for MSPs to harden clients against these threats, on both the hardware security and employee behavior fronts.
Thumb-Size Threats
USB devices are everywhere. A client’s employees will attend a trade show and come back with 10 of them. Whether employees are malicious or simply careless, it must be assumed that they’re carrying USB drives and that they are a threat. Clients will invariably believe “it’s not going to happen to me” until it does. It’s our job as MSPs to overcome clients’ head in the sand mentality, and be their savior when it comes to USB security.
Eric Woodard is the CEO at Protek, an IT service provider based in Sandy, Utah.
- Page 1
- Page 2