USB drives in the office: why that freebie stick from a trade show is a real problem

USB drives look harmless, but they're one of the easiest ways to introduce malware or let sensitive data walk out the door. A practical approach for SMBs.

You know the ones: that pile of USB drives handed out at trade shows, the memory stick a client brings in with "just a few quick files", or the drive that's been sitting in the top desk drawer for years. They seem harmless. In practice, they're one of the simplest ways malware finds its way into the office — and one of the easiest ways sensitive data quietly slips out.

In this post: why USB drives are a blind spot for many SMBs, and what you can do about it without expensive tools.

Why this problem is bigger than it looks

There are three risks, and they all apply at the same time:

• Malware via a found or gifted drive. Someone plugs it in to see what's on it. Opening the wrong file is all it takes.
• Data leakage. A departing employee, a stressed colleague who "just wants to finish this at home", or someone who accidentally copies the wrong folder. Nobody sees it, nobody logs it.
• Lost drives. A stick with customer data left behind in a train seat is, under GDPR, simply a data breach — with a mandatory reporting obligation.

The tricky part: there's usually no incident to wake you up. Until there is.

What most SMBs do today (and why it's not enough)

Ask around the office and you'll usually hear: "We don't really have anything in place." Sometimes the employee handbook includes a line like "be careful with external storage media." That's not a policy — it's a wish.

What's missing is something concrete: what's allowed, what isn't, and how do you know whether people are actually following it?

A workable approach in four steps

1. Decide whether you actually still need USB storage

Honest question: what do you use drives for? In 9 out of 10 cases the answer is "sharing files" — and for that you now have SharePoint, OneDrive, Google Drive, or WeTransfer. Safer, traceable, and no more hunting for that one missing stick.

If USB storage isn't needed for work, simply disable it. In Windows, that's a single setting via Group Policy or Intune. Same goes for Macs.

2. Set one clear rule

For example: "No external USB storage is used on work laptops. We share files via [name of your cloud service]. Exceptions go through [name]."

One sentence. Everyone understands it. And you know who to call when there's genuinely no other option.

3. Handle exceptions in advance

There are always legitimate cases: a print shop that only accepts files via USB, a notary, a supplier with their own equipment. For those situations:

• Use hardware-encrypted drives (with a PIN on the device itself). These cost roughly €40–80 each.
• Issue them by name. Not a shared bowl of drives floating around the office.
• Keep a record of who has which drive. On departure: return it, just like the laptop and the office key card.

4. Make it part of onboarding and offboarding

When someone joins, explain the rule. When someone leaves, check: have all issued drives been returned? This belongs in your offboarding checklist, right alongside accounts and access cards.

What about that drive that's been in the drawer for years?

Do one sweep of the office this week. Check drawers, bags, and that tray by the reception desk. Collect everything. Anything that belongs to the company and contains nothing sensitive: wipe and reuse (or throw it away). Anything unknown: don't plug it in — just destroy it. A pair of scissors through a USB drive is free and final.

For any portable storage that may contain sensitive data: securely wipe it or physically destroy it. A standard format isn't enough — files can often still be recovered.

The connection to your broader security approach

A USB policy doesn't stand alone. It belongs in the same category as your password manager, your 2FA, and who has access to which systems. All small things that, taken together, make the difference between "we got lucky" and "we simply have it sorted".

If you're already in the mood for tidying up and tightening things: it's also a good moment to check who still has login access to your systems. People are often surprised by what they find.

In closing

USB drives aren't the biggest security problem you have. But they're a typical example of something that feels too small to bother with — until it goes wrong. Half an hour on a policy and a quick sweep of the office is all it takes to put this one to rest.

Want a broader look at who can access what on your systems? Our access check is a logical next step. And if you're still unsure about the basics of your email security, take a look at setting up SPF/DKIM/DMARC — often the first real gap in the chain.