MSPs: Don't Let Clients Neglect USB Security

By Eric Woodard, Protek

MSPs, please heed my warning: the simple USB drive can devastate your clients’ businesses if not taken seriously. I’ve seen it happen more than once. While high-profile threats like ransomware and advanced cyber threats are top-of-mind for most MSPs and their clients, it’s also crucial to recognize that each thumb drive lying around the client’s office, home, airport, doctor’s office, tradeshow, parking lot, or, well, anywhere is a potential company-killer hiding in plain sight. Without effective safeguards in place, any employee is free to jab a USB into client systems like a stiletto to the heart, spilling out sensitive data and company secrets that are the lifeblood of a business.

Here are three USB security musts that I recommend MSPs put in place, along with a few true-life stories of businesses that learned their risks the worst way you can.

1) Secure data with remotely enforced USB drive data encryption.

Clients who are otherwise quite security-savvy are often blind to insider threats. I’ve heard company leaders say, “I trust my people,” when the far more prudent course is to instead trust in robust and enforceable USB drive encryption.

One client of ours – a 150-employee business in the mortgage industry that we’ve worked with for years – learned this all too well. The incident happened earlier in our partnership when clients selecting piecemeal security options from their MSPs was more the norm. Today, it’s my resolute advice to refuse to do business with any client that doesn’t accept your comprehensive security strategy and full recommended solutions stack. Considering that a data breach can shatter the reputations of both client and MSP alike, it’s imperative to tell potential clients looking for bargains to look elsewhere. This particular case I’m describing is all the more tragic because our client did accept just about every security feature we offered…except for USB safeguards.

What happened is this: our client’s owner had an offer to sell the company, and let his managers know about the plan. One of these managers took the news badly, to say the least, and began plotting to more or less steal the business. His approach? Attempting to recruit three dozen current employees to begin a new company, and to steal all of the current company’s customer data too. From a customer perspective, this should be a shocking prospect, that a rogue employee could get ahold of sensitive mortgage file data including tax returns, financial records, and more. The employee’s weapon of choice for committing this act was, as you may have guessed, a USB drive.

While the company had a firewall, web filtering, and other non-USB-specific precautions in place, the employee evaded these using a VPN product he had bought. He did make a few arrogant mistakes, however. First, during the data transfer, he contacted us for support for an unrelated matter (obviously not for support stealing data, bold as he was), which allowed one of our technicians to observe and flag the odd activity. We quickly contacted the owner and documented the list of stolen files and the USB file transfer itself with a screenshot. Also, the screenshot revealed that this employee also was browsing pornography on his second screen to kill time during the file transfer, bringing his nasty acts per screen to a 1:1 ratio.

This incident threw a wrench in the owner’s deal to sell the company, and it’s still his today. The employee was able to get away with his USB drive of stolen data, which he took straight to a competing business. A lawsuit and ongoing court case followed, where the man’s theft and browsing activities are now part of the judicial record.

Just after this incident, our client was suddenly quite receptive to adding USB security to our list of services. We introduced BeachheadSecure USB Storage, which is my recommended managed tool for MSPs providing USB drive data encryption that can be enforced remotely. The solution also tracks and logs all files placed on USB drives, allows us to manage what devices have permission to open what files, and lets us delete data remotely if circumstances call for it.

2) Introduce employee monitoring (and warn them away from poor choices).

Unfortunately, USB drive-based insider threats aren’t so rare as clients would like to imagine. We experienced another such story with a client in the engineering industry. This client had several employees copy sensitive data and schematics onto a USB drive, and leave to found their own business. In an arguably rude flaunting of what they’d done, these former employees displayed these exact drawings on the website of their new business.

Needless to say, our client was disappointed by the behavior of these formerly trusted ex-employees, and quickly opted for our managed USB drive security solutions. For example, another key component to a USB security strategy is employee monitoring software, which can detect file transfer attempts. Such solutions can warn employees with a pop-up explaining that their actions are monitored, and that proceeding to copy files would break company policy. This automated messaging can talk down employees who might be making heated, out-of-character decisions in the moment. It also makes it clear that employees who ignore the warning know exactly what they’re doing and deserve the consequences.

3) Train employees in best practices to avoid USB malware.

You may have heard of this USB malware pen test: drop a few hundred USB drives on the street and in other public spaces. Label the drive something juicy like “modeling pics.” Include benign malware-like software able to call home. In such tests, 45-98% of the USB devices get plugged in and could have delivered their potential malware payload.

This is why MSPs must secure clients by introducing robust employee training regimens that prepare them against such threats. To put client employees to the test, you also can introduce KnowBe4 or a similar security solution to run the USB pen test on your own clients’ campuses.

These tests provide granular details, down to who at the company put a drive from the parking lot into which computer, teaching employees a lesson as embarrassing as it is valuable.

While clients are prone to optimism when it comes to their employees’ intentions and behaviors, MSPs must be harsh realists to protect clients from themselves. If your clients need convincing that USB drives are a threat to their businesses, feel free to tell them a couple of stories you heard from me.

About The Author

Eric Woodard is the CEO at Protek, an IT service provider based in Sandy, Utah.