USB drives in the office: still useful, or mostly a risk?
That loose USB drive sitting in your desk drawer looks harmless — but it's one of the easiest ways a virus or data breach finds its way into your office. What should you watch out for in 2026?
You know the type: a pile of USB drives in the top desk drawer. A few branded with a trade show logo, one from a previous accountant, and an unidentified one nobody dares plug in anymore. USB drives used to be the most practical way to carry files around. In 2026, they're mostly a small plastic gadget that can cause a surprisingly large amount of trouble.
We still get questions about them regularly. Are they still allowed? Are they dangerous? What do you do with the one you found in the car park? Time for a level-headed overview.
Why USB drives are a weak spot
A USB drive is a physical object you insert into a computer. Once it's in, it can exchange files — in both directions. That makes three things possible that you'd rather avoid:
- Introducing malware. An infected drive can install malicious software on your laptop the moment you plug it in. Some variants disguise themselves as a keyboard and type commands on their own.
- Quietly walking data out the door. A customer database, quotes, or the complete accounts can fit on a single drive. Lose it on the train and your records are out in the open.
- Old files nobody can account for. Drives get left lying around for years. What's on them? Who used them? Nobody knows anymore.
The found drive: what do you do with it?
It sounds like a joke, but it really happens. Someone "loses" a USB drive near the entrance of an office, hoping a helpful employee will plug it in to find the owner. The drive contains a file with an enticing name ("Salaries 2026.pdf") that installs malware when opened.
The rule is simple: never plug in a found USB drive. Not on your work laptop, not on your personal laptop, not on your child's computer. Bin it, or hand it in at the building reception if you genuinely think a colleague has lost it.
When a USB drive is still useful
We're not saying you can never use a USB drive again. There are situations where it's practical:
- Taking a presentation to a client who has no guest Wi-Fi.
- Transferring large files when your internet connection is unreliable.
- Making a backup that you store physically off-site (for example, in a safe).
For most other situations, a cloud folder or a shared link is more convenient, more secure, and easier to track down. See also our article on sharing files securely without everyone having to learn a new app.
Five practical ground rules for your office
- Only use drives you bought yourself. No branded freebies from a trade show where you have no idea who manufactured them.
- Encrypt sensitive files. Both Windows (BitLocker To Go) and macOS have built-in options to password-protect a USB drive. Lost = not immediately readable by whoever finds it.
- Label them and keep track of what's on them. An unlabelled drive inevitably becomes a mystery. Stick a label on it showing who uses it and what it's for.
- Clear out old drives. Format them first (or physically destroy them if they ever held sensitive data). Throwing one away with your records still on it is a minor data breach.
- Don't just plug in drives from third parties. If a supplier or accountant hands you a drive, ask whether they can email the file or share it via a link instead. Less hassle and more secure.
What about the USB port on the printer?
Don't forget that your multifunction printer often has a USB port too, for printing or scanning directly. The same risks apply there. If nobody uses that feature, you can usually disable the USB port in the printer settings. One less entry point.
What to do if a drive containing company data goes missing
If you notice that a USB drive holding customer or staff data is missing, act quickly:
- Establish what data was on it (was it encrypted? If so, the risk is much lower).
- Consult your data protection officer or accountant about whether this needs to be reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) — for personal data: within 72 hours.
- Change any passwords or access codes that may have been stored in files on the drive.
- Document what happened — a brief log is enough, but you want to be able to show what steps you took.
In short
USB drives aren't dead, but they're on their way out. Fine for occasional use, as long as they're encrypted and come from a trusted source. For day-to-day work, cloud folders are simply more practical and more secure. The key takeaway: don't treat a USB drive like a pen that anyone can pick up — treat it like a key that unlocks your files.
Want someone to take a fresh look at file sharing and security in your office, without a big IT production? Our access check maps out who can reach what — including those old drives and stray folders nobody has eyes on anymore.
Volledige gids: Security for SMBs without an IT department: what should you do this quarter?
Dit artikel is onderdeel van onze uitgebreide Security zonder IT-afdeling-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →