USB drives and the hidden front door into secure systems for startup security
Removable media has a habit of surviving every new security trend. Cloud sharing is common, yet USB drives still turn up in meeting rooms, plant control cabins, server racks, and contractor tool bags. They are fast, familiar, and often the only practical way to move files into environments that are restricted or offline. That convenience creates a predictable problem: a single unmanaged device can carry malware straight past perimeter defences and into the systems that matter most.
Why USB risk has not gone away
The attacks have adapted to the medium
Security teams sometimes treat USB threats as a relic of the early 2010s. The evidence says otherwise. Industrial research published by Honeywell describes removable media as part of modern targeted activity in industrial environments, and it reports that USB has become a more prominent delivery channel for malware in those settings. Readers can review the study in the 2024 Honeywell USB Threat Report.
Air gaps still have gaps
Even well run organisations depend on periodic transfers for patches, engineering files, logs, and exports. Stuxnet remains the clearest public example of a USB borne infection crossing an air gap and reaching industrial control tooling when the workflow relies on removable media. For a readable deep dive, IEEE Spectrum’s account is a strong starting point, and it aligns with broader summaries of how the malware spread.
Key takeaways
- USB still matters because offline workflows still exist
- The highest risk appears when process is informal
- Controls work best when they are measurable
Where the risk hits hardest in the UK
Operational Technology and critical services
UK operators of critical services often run mixed estates where legacy Operational Technology (OT) sits beside modern IT, and vendors still arrive with laptops and removable drives. That blend of operational pressure and constrained connectivity makes USB controls particularly important. Guidance for ICS and OT environments highlights that removable media is routinely used for tasks such as patching and moving data, and it recommends controlled handling rather than informal workarounds.
Defence style controls in everyday organisations
The UK National Cyber Security Centre advises organisations to set clear policy and apply technical controls for peripherals, including restricting or disabling unused interfaces and defining who can connect what and when. That framing is useful beyond defence. Any organisation with regulated data, sensitive intellectual property, or high downtime costs can apply the same discipline without adopting a blanket ban. A useful entry point is NCSC guidance on using peripherals securely.
Practical controls that actually work
Start with a written policy that people can follow
The best policy is short, specific, and tied to real workflows. It should define who may bring in removable media, what kinds are allowed, and how devices are approved. It should cover client handovers, supplier firmware updates, and engineers who need to move logs off isolated systems. When policy is vague, staff invent their own process, and attackers benefit from inconsistency. A good policy also defines what happens when something fails a check and who makes the final decision.
Control 1: reduce unknown devices at the point of entry
Many organisations start by standardising trusted media. That might mean issuing encrypted, company owned USB drives for internal use and requiring suppliers to use managed transfer routes wherever possible. Where external devices are unavoidable, a dedicated scanning station can act as a checkpoint at the front door of the network. A hardware based approach is attractive in higher risk environments because it keeps scanning separate from production endpoints and can operate offline when needed.
Control 2: make scanning verifiable not optional
Everyone should scan is not a control. A control is something that can be verified. That might include logging scans, recording outcomes, and requiring a clean result before a device can be used on specific segments. In OT, that often means the engineering workstation and the jump host. In corporate environments, it may mean finance systems or research networks. This turns USB risk into something that can be audited and improved.
Control 3: treat people as part of the control set
Even excellent tooling fails if people feel punished for following it. Good programmes explain the why in plain language, align the process with day to day work, and remove friction. A short briefing for contractors at site induction, signage near secure rooms, and a single what to do with this USB flow can reduce risky improvisation. When staff understand that a quick scan protects uptime and client trust, compliance becomes routine.
Building a repeatable USB workflow
A simple model for UK organisations
A practical workflow has four steps. First, classify environments, such as office IT, restricted IT, and OT, and decide where unmanaged media is never allowed. Second, define approved routes for moving files into each tier, including who is responsible for releasing files into higher trust zones. Third, enforce checks at the boundary, whether through managed transfers, scanning stations, or a combination. Fourth, review results and near misses so the programme stays realistic.
Teams do not implement USB controls because they enjoy process. They do it because the downside is expensive and distracting. Verizon’s 2025 Data Breach Investigations Report is not USB specific, but it is a reminder that repeatable attack paths scale across industries, and it explains the incident dataset window used for its analysis. The report is available through Verizon’s DBIR portal.
A next step that does not slow the business
If an organisation relies on removable media at all, it can start with a one week mapping exercise. List the top reasons USB drives appear, the people involved, and the systems touched. Then implement one improvement at the highest risk boundary, measure adherence, and expand. For teams that need a dedicated front door checkpoint, exploring a proven approach to usb decontamination can be a sensible, low drama place to begin.
