Viruses found on 66% of recovered USB keys

If employees in your company use USB memory sticks to carry around important documents, you may want to warn them about the dangers of those portable storage drives. A recent study shows how few precautions users of USB keys take. 

Those drives are often infected with malware, and many are lost by their owners while containing sensitive, uencrypted information, according to a recent study by security firm Sophos.

Security researchers looked at 50 USB keys that had been lost by commuters at a train station in Sydney, Australia. The drives were purchased from the railway at a public auction.

The devices’ previous owners were lucky they ended up with a security company and not a criminal. Many of the drives contained sensitive personal or work-related information, such as tax documents, software and web source code, and blueprints for projects. None of the drives were encrypted or seemed to contain any encrypted files.

In addition to that data, researchers found viruses — and lots of them. Two-thirds, or 33, of the keys were infected with malware.

Spreading malware through USB drives has become a popular tactic with hackers, as it’s often not caught by antivirus software and can be used to exploit PCs’ auto-run feature. In fact, a study from last year found that 27% of the malware attacks organizations face come from an infected USB drive.

To help prevent those attacks, experts recommend organizations:

  • disable USB ports for users who don’t need them
  • disable auto-play for USB drives
  • require storage devices to be approved by IT before they’re used, and
  • train users not to use drives if they don’t know where they came from, and not to open unknown files contained on drives.

As for the loss of important data due to USB keys being left behind, one source of the problem could be that the low cost of the drives makes users careless with them, Sophos suggests — researchers noted that in Australia, the average retail price of a USB key is less than that of a pint of beer.

IT can train users to understand that the drives may be cheap, but the data contained on them may have a big price tag. Also, providing users with secure, encrypted USB keys may keep users from bringing in their own unsecured drives.