IBM bans USB drives – but will it work?

A job worth doing is worth doing well.

And when a job is worth doing well, it’s often worth going all-in.

A good example is how to quit smoking: you can try cutting down a bit in the hope of tapering off; you can try smoking milder cigarettes; you can try replacing your addiction to the nicotine in cigarettes with an addiction to the nicotine in something else; you can even carry on smoking but tell everyone, including yourself, that you didn’t inhale.

But quitting doesn’t admit of half measures, and the best and quickest way to do it is simply never to smoke again, from this day forward, for evermore.

Job done. (As in, “Easier said than.”)

By all accounts, IBM has decided to do just that – go cold turkey, that is – in dealing with the problem of lost data on removable storage devices.


Instead of trying to manage the problem of who copied what to which USB stick from what computer using which type of encryption, word on the street is that IBM’s Chief Information Security Officer (CISO), Shamla Naidoo, has taken a much blunter approach, along the lines of, “If you want to move files around, use the network.”

It’s a bold approach, and in the modern cloud era, it’s not as outrageous as it might at first sound.

Many users are perfectly used to backing data up into the cloud, and even to having files such as photos automatically uploaded from one device and seamlessly synched with another.

But can an outright ban on something as widely used, and as useful, as USB sticks really work?

We asked our very own CISO, Ross McKerchar, what he thought:

Removable storage is a massive concern. While it’s a less common (but still real!) malware infection vector now, the biggest risk these days is data leakage.

To take a quick trip down memory lane: seven years ago we bought a stash of USB keys from a lost property auction as an experiment. 66% of them had malware on, and not a single one was encrypted.

With Europe’s GDPR kicking in at the end of this month, threatening much bigger fines for companies that don’t take proper care of their data, the timing of IBM’s new rule is hardly a surprise.

After all, if you don’t have a USB drive in the first place, you can’t lose it, so that’s one less way for data to show up in the wrong places.

But, as Ross warns:

Outright bans of any useful technology breed “shadow IT” [where users just do their own IT thing anyway]. Humans are highly creative and often find workarounds that are more risky than the thing being banned. Where possible, organisations will be more effective making the easy way the safe way.

Enforcing USB encryption across a company the size of IBM is probably very tricky, but for a company of average size, it’s a good way to mitigate the risk whilst allowing people to work in a way they’re comfortable with.

Providing sanctioned cloud sharing services as well, combined with the right controls add training, helps further because it can avoid the need to copy data onto USB drives in the first place. One handy thing about sharing rather than copying content is that it’s much easier to audit and ‘unshare’ if a mistake is made.

What’s a USB drive, anyway

One tricky challenge with an outright ban on USB drives is that there are many different sorts of removable storage – notably including devices that present themselves with two faces.

For example, I have a portable audio recorder that I use for podcasting: you can plug in into a laptop and use it as a high-quality microphone, or you can use it as a handheld standalone device and download the files from it later on.

You can see where this is going: when you connect the device via a USB cable, a menu pops up on the device where you choose which way the device will work, and one of those options makes it behave as a USB drive.

Do you ban the device because it’s a part-time USB drive? Do you take the extra steps needed to teach your device control software that it’s two subdevices, and that the audio-flavoured one is OK but the disk-flavoured one is not?

If you make me an exception to the rule, because I’m special on account of doing podcasts, how do you deal with the fallout from that, when everyone else decides they’re special, too?

(All they have to do is say they need to record meetings, or that they’re also into podcasting, or that they’ve got a similar issue with a camera that they use for work purposes.)

If you block everyone else, forcing them to change, but let me off the hook so that I really am special, what then?

As Ross warns:

Insider threats are a concern for all organisations. The first defence is a vigilant management team – employees intent on doing something malicious are often disenfranchised and frustrated.

What to do?

We can see why IBM, an enormous IT company that is itself a giant cloud provider, might want to replace USB drives with ubiquitous network storage, and why such an approach might not only work well, but also be largely obeyed by staff.

But if you have a small business, with a few employees who are sometimes in the office, sometimes at home, and sometimes on the road…

….the convenience of USB drives for temporary backup, or to have around to tide you over internet outages, is probably a baby that you don’t want to throw out with the bathwater.

Worse still, even if you try to ban USB drives outright to save IT effort, you may very well find that you have created yet more IT effort to make sure you sometimes detect but sometimes allow all the “edge cases” such as audio recorders, cameras, and so on.

So, here are some tips that avoid the need for an outright ban on anything:

  • Encrypt all your USB devices. It’s a bit more work than just having a free-for-all, but if you routinely encrypt everything, you never have to worry whether there were any files you forgot about.
  • Provide easy-to-use alternatives. If you want to wean your staff off USB storage, give them a cloud-based solution that they’ll want to use, and that’s easy to learn.
  • Make everyone aware of the risks. Banning USBs won’t stop data leakage – data copied to the cloud has “gone somewhere else” too, after all – so make sure your staff know why it’s important to care about security.
  • Check your logs. Whether you use USBs, cloud drives or both, be sure to check any logs you keep of who’s put what where. If you aren’t going to look at your logs, don’t bother keeping them – never collect any data without a purpose.

To finish off with some board-level advice from Ross:

Visibility in computer security is vital. By having reporting tools for content sharing, CISOs can help senior management understand the risks and benefits of allowing sharing methods, whether they’re USB drives or cloud services.