IBM bans all staff from using USB drives out of security concern

IBM is banning all removable storage, company-wide, in a new policy that seeks to avoid financial and reputational damage stemming from a misplaced or misused USB drive.

IBM global chief Information security officer Shamla Naidoo told staff in an internal e-mail that the company “is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”

Although some departments already had this policy in place for a while, “over the next few weeks we are implementing this policy worldwide,” Naidoo said, according to The Register.

The reason for the radical new policy is simple and well justified in a world laden with data breaches: “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimized,” the CISO clarified.

Avid readers will remember that Stuxnet was written to “hop” from terminal to terminal through USB drives moving between them as attack vectors. Some of the networks it targeted were air-gapped, meaning they had no direct access to the outside world. For those who fear such an event in their respective networks, Bitdefender”s USB Immunizer prevents malware from setting itself up on USB drives.