A Coup and a Theft: Why MSPs Can’t Let Clients Get Lax About USB Security

Here are some horror stories involving rogue employees.

June 11, 2021

5 Min Read
USB drive

By Eric Woodard


Eric Woodard

As MSPs responsible for securing clients’ data and systems against all threats great and small, the humble USB drive can be just as dangerous as the most sophisticated cyberattack. Clients may have a hard time imagining just two inches of metal and plastic destroying their businesses, but that potential is absolutely real nevertheless.

If a client of yours is less than serious about the need for USB security or trying to cut corners on your recommended safeguards, I have a couple of cautionary true tales you can tell them.

The Mortgage Company Coup

This first story concerns a long-term client of ours, a mortgage company with about 150 employees. We’ve worked together nearly 10 years, since the days when MSP-provided security was much more a list of à la carte options chosen by the client. In our current and more enlightened era, I advise MSPs to avoid working with any client that demands bargains instead of accepting your comprehensive security strategy. The consequences of a breach can be ruinous to you both; it’s just not worth it anymore (if it ever was). In this client’s defense (literally), it opted for a nearly full slate of security safeguards, only saying “enough is enough” when it came to USB protection.

It happened that the owner was ready to sell the company. With an offer on the table, the owner told the company’s managers the news. This prompted one of those employees – call it a coup – to start recruiting others to leave and start their own company. To make sure that new company could hit the ground running, this employee also decided to take all the data they would need.

If you think about what goes into a mortgage file, you have payroll stubs, tax returns, medical military records, etc. Basically, you have customers’ whole life stories. Home buyers meet with a mortgage company for an hour and hand over every important document in their lives. It’s highly sensitive data, and certainly unnerving to customers that an employee could steal it all for their own nefarious purposes.

The employee began copying huge amounts of data to an unsecure USB drive. He bypassed security measures and controls the company had in place, such as a firewall and web filtering, by using a purchased VPN product. However, he happened to call in for support for something else during this process. One of my technicians saw the peculiar data transfer. He alerted me, and we let the owner know what was going on. The owner investigated and later found out that the rogue employee was actively recruiting three-dozen other employees.

The owner had us go in and document the files stolen and nab a screenshot of the USB file transfer. When we did, we learned that this employee thought the VPN made him invincible: he was browsing pornography on his other screen while the transfer was happening. Ultimately, the owner didn’t sell the company, because this incident blew up the deal. The employee got away with the stolen data and went to a competitor. The whole case is now in court, where that last aspect with the … adult … browsing is perhaps adding some levity to the proceedings.

The Engineering Company Schematics (and the School of Hard Knocks)

In another client story involving an engineering company, a couple of employees left the firm, but not before taking sensitive data copied to a USB drive along with them. These engineers proceeded to start their own business, enabled by this stolen data. The new company’s website prominently displayed drawings that those employees had worked on under their previous employer, a fact that our client was quick to notice.

Even the most prudent and security-oriented clients often have a blind spot for …

… insider threats and the risks that USB devices represent. In my experience, these cases come down to business leaders saying, “I trust my people,” while being dangerously naïve about what those people are actually capable of. It’s a matter of trust until that trust is broken, and the school of hard knocks teaches them a rough lesson.

In both of the incidents I mentioned, the clients signed up for USB protection immediately after. The need to lock down and enforce encryption on USB drives is often a wide-open gap that clients overlook. It falls to us MSPs to ensure that gap is secured, and that clients don’t have to learn about USB risks the hard way.

Employee Monitoring, with Warnings

Employee monitoring software can also provide strong deterrents against copying company files to a USB. If they try to do so, solutions will present the employee with a pop-up, warning them that copying files to a USB drive is against company policy and that their activity is monitored. At that point the defiance is clear if employees proceed — there’s no room for them to argue that they thought what they were doing was allowed.

The USB Malware Vector

USB drives present an inviting vector for malware as well. It’s a common pen test to drop a few hundred USBs in parking lots, label files something intriguing like “modeling photos” or “4th quarter financials,” and include software able to call home to determine how many drives get picked up and plugged in. In these tests, this attack method has a 45%-98% success rate.

As part of an employee training regimen, security providers can run such tests on a business’ campus and even display which employees plugged found USB devices into what machines. It makes sense for MSPs to harden clients against these threats, on both the hardware security and employee behavior fronts.

Thumb-Size Threats

USB devices are everywhere. A client’s employees will attend a trade show and come back with 10 of them. Whether employees are malicious or simply careless, it must be assumed that they’re carrying USB drives and that they are a threat. Clients will invariably believe “it’s not going to happen to me” until it does. It’s our job as MSPs to overcome clients’ head in the sand mentality, and be their savior when it comes to USB security.

Eric Woodard is the CEO at Protek, an IT service provider based in Sandy, Utah.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like