• United States



USB Drives Continue to Raise Security Concerns

Jun 25, 20072 mins
Data and Information SecurityIT LeadershipPhysical Security

Well it’s official: the threat posed by removable media, like USB drives, has now surpassed malware in the minds of most IT managers. When you combine that concern with the results of a recent survey which reported 45% of workers steal data when changing jobs, you can understand what keeps IT managers and corporate lawyers up at night. When the entire research base of a company can be stored on media smaller than a matchbook, businesses should be concerned. The problem is that few businesses are actively engaged in any real proactive measures to address the issue. In my own informal survey of medium to large businesses, only a small percentage even have a specific policy on the use of removable media. Fewer still have implemented any technological means to disable or limit use of USB ports.

Given the risk involved and the relatively low cost of implementing policies, conducting employee education, and potentially deploying technological means to limit abuse of USB ports, more businesses should be actively working to minimize this threat. Failure to do so may well leave the business with significant exposure — both to third parties (in the event personally identifiable information is compromised) and, potentially, to its own shareholders and investors (in the event company proprietary information is compromised). The risk simply too great and the solution too straightforward not to address this problem.

In addition to addressing the issue of USB drives and other removable media within the company, businesses should also consider requiring specific contractual protections in its vendor relationships to ensure the vendor does not potentially compromise the business’ confidential/proprietary information through the use of removable media.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author