Why USB Drives Are a Cyber Security Risk for Your Business

The Little Device With a Big Risk

USB drives — also called thumb drives, flash drives, or USB sticks — are everywhere. They're cheap, portable, and handy for transferring files. But they're also one of the sneakiest cyber security risks your business faces. Unlike most threats, which arrive via email or the internet, a USB drive can walk right into your office in someone's pocket and deliver malware directly to your network — bypassing your firewall and most other security controls entirely.

This isn't a theoretical concern. USB-based attacks have been used against businesses, hospitals, government agencies, and critical infrastructure around the world. Even if your business isn't a high-profile target, opportunistic attacks via removable media are common and growing.

How USB Drives Become a Threat

There are several ways a USB drive can compromise your business:

Malware delivery

A USB drive can carry malicious software that installs automatically when plugged into a computer. Some malware is designed to activate without any user interaction at all — just plugging in the drive is enough. This malware can include ransomware, spyware, or tools that give attackers remote access to your systems.

The "lost drive" attack

Attackers sometimes deliberately leave USB drives in car parks, building lobbies, or near business premises — loaded with malware. Curious employees pick them up and plug them into work computers. Studies have shown this method is surprisingly effective. The Australian Cyber Security Centre (ACSC) has specifically warned businesses about this tactic.

Data theft

USB drives can also be used to steal data — intentionally or otherwise. An employee (or a visitor who gains brief physical access to a computer) can copy sensitive customer data, financial records, or intellectual property onto a USB drive in seconds. With drives available in capacities of hundreds of gigabytes, a significant data breach can happen very quickly and leave no obvious trace.

Device spoofing

Some malicious USB devices are designed to look like normal storage drives but actually register themselves to a computer as a keyboard or network adapter. These "BadUSB" attacks can execute commands on the computer automatically, and they're very difficult to detect with standard antivirus tools.

What Good USB Security Looks Like

Managing USB risks doesn't mean banning them outright — though in some industries that's the right call. It means putting sensible controls in place and making sure your team understands why they matter.

Establish a clear policy on removable media

Your team should know the rules around USB drives. A basic removable media policy should cover:

• Whether personal USB drives can be used on work computers
• How to handle any USB drive found on the premises or received unexpectedly
• What types of data can be transferred via removable media
• That unknown USB drives should never be plugged in — they should be handed to a manager or IT contact

Disable AutoRun and AutoPlay

Windows computers historically had a feature called AutoRun that would automatically execute software on a USB drive when it was plugged in. This has been disabled by default in newer Windows versions, but it's worth confirming this is the case on all your business computers. In Windows 10 and 11, you can check this in Settings under Bluetooth & devices > AutoPlay.

Use endpoint controls to restrict USB use

If your business handles sensitive data and you want tighter control, you can restrict which USB devices can be connected to your computers. Microsoft Intune and Windows Defender for Endpoint both support device control policies that can block or allow specific types of USB devices, or require that all removable media be encrypted. Sophos and other endpoint security platforms offer similar controls.

Scan any USB drive before use

If USB drives are genuinely needed in your business, establish a rule that any external drive — including ones brought in by customers, suppliers, or staff — gets scanned with endpoint security software before files are opened. Many antivirus solutions will scan automatically when a drive is connected, but it's worth confirming yours is configured this way.

Use encrypted USB drives for sensitive data

If you need to transport sensitive data on USB drives, use encrypted drives that require a PIN or password to unlock. Products like Kingston IronKey or Apricorn Aegis offer hardware-encrypted USB storage. Some even have a self-destruct feature that wipes the drive after a set number of incorrect PIN attempts.

Physical Security Matters Too

USB risks aren't purely a software problem. Physical access to your computers also matters. Consider:

• Whether visitors have unsupervised access to computers with accessible USB ports
• Whether unused USB ports on shared computers could be physically blocked
• Securing server rooms and network equipment from unauthorised access

If someone can sit at an unattended, unlocked computer for 30 seconds, a USB-based attack can be completed before anyone notices. This reinforces why screen locking — automatic and when stepping away — is important.

Key Takeaways

• USB drives can deliver malware, steal data, and bypass your internet-facing security controls
• Attackers deliberately leave infected USB drives in public areas to trick employees into plugging them in
• Establish a clear policy: unknown USB drives should never be plugged into work computers
• Confirm AutoRun/AutoPlay is disabled on all business computers
• Use endpoint security tools to scan or restrict USB devices if your business handles sensitive data
• For data that must be transported on USB, use encrypted drives

Removable media is just one of many device security risks that the free assessment at flagged.com.au helps you evaluate. Find out how your business measures up in minutes.