Portable Media Security — Canadian Baseline Control BC.13

What the Canadian Centre for Cyber Security Recommends

The Canadian Centre for Cyber Security (CCCS) identifies portable media security as Baseline Control 13 (BC.13) in its Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089). Organizations should establish policies and technical controls governing the use of USB drives, external hard drives, SD cards, and other removable storage devices. Portable media introduces risks including malware infection, data theft, and unauthorized data transfer.

Despite the growing use of cloud storage and email for file sharing, portable media remains common in many Canadian workplaces. USB drives are inexpensive, convenient, and easy to lose — making them a persistent security concern. The CCCS includes portable media security as a baseline control because the risks are significant and the mitigations are straightforward.

USB Device Risks

USB drives and other portable media pose several distinct security risks to organizations. Understanding these risks is the first step toward managing them effectively.

Malware Introduction

USB devices are a well-documented vector for malware. A USB drive used on an infected personal computer can carry malware into the corporate network when plugged into a work system. Some malware is specifically designed to spread via USB — copying itself onto any removable media connected to an infected machine.

Attackers have also been known to leave infected USB drives in public places (parking lots, lobbies, conference venues) in the hope that someone will pick one up and plug it into a corporate computer. This technique, known as "USB baiting" or "USB drop attacks," exploits human curiosity and is referenced in cybersecurity awareness guidance from the CCCS.

Data Loss and Theft

USB drives are small enough to fit on a keychain, which makes them easy to lose, misplace, or steal. A single USB drive can hold gigabytes of sensitive data — customer records, financial documents, intellectual property, employee information — and if that drive is unencrypted, anyone who finds it can access the contents.

Unauthorized Data Transfer

Without controls in place, employees can use USB drives to copy large volumes of organizational data, whether intentionally or inadvertently. This creates risks related to data governance, privacy obligations under PIPEDA, and intellectual property protection.

Removable Media Policies

The CCCS recommends that organizations establish a written policy governing the use of portable media. A clear policy sets expectations for employees and provides a basis for technical controls and enforcement.

An effective removable media policy should address:

• Permitted use cases — define when and why portable media may be used (e.g., transferring files to air-gapped systems, providing materials to a client)
• Approved device types — specify which devices are permitted and whether they must be company-issued
• Data classification — identify what types of data may and may not be stored on portable media
• Personal device restrictions — state whether personal USB drives and storage devices are permitted on organizational systems
• Reporting requirements — require employees to report lost or stolen portable media immediately
• Consequences — outline the consequences for policy violations

The policy should be communicated to all employees during onboarding and reinforced through regular security awareness training (BC.6).

Encryption Requirements

Any portable media used to store organizational data should be encrypted. Encryption ensures that if the device is lost or stolen, the data on it cannot be accessed without the correct password or encryption key.

Encryption options for portable media include:

• Hardware-encrypted USB drives — these devices have encryption built into the hardware and require a PIN or password to unlock; they are the most secure option for portable storage
• Software-based encryption — tools such as BitLocker To Go (Windows), FileVault (macOS), or VeraCrypt can encrypt USB drives and external hard drives
• File-level encryption — individual files can be encrypted before copying them to portable media, though this is less reliable than full-device encryption because users may forget to encrypt individual files

Organizations should standardize on an encryption method and ensure that all approved portable media devices are encrypted before use. Company-issued, pre-encrypted USB drives reduce the risk of employees using unencrypted personal devices.

Disabling Autorun

Autorun (also called AutoPlay) is a feature in operating systems that automatically executes programs or opens files when a USB device is connected. This feature has been exploited by malware to execute malicious code the moment a USB drive is inserted into a computer.

The CCCS recommends disabling autorun on all organizational systems. This aligns with Baseline Control BC.4 (Secure Configuration). Specific steps include:

• Disable autorun via Group Policy — in Windows environments, use Group Policy to disable autorun and autoplay for all removable media across the organization
• Disable autorun on individual machines — for organizations without centralized management, autorun can be disabled in system settings on each computer
• Apply to all media types — ensure autorun is disabled for USB drives, optical media, and network drives

Disabling autorun is a simple configuration change that eliminates an entire category of USB-based attack.

Approved Device Lists

Organizations can limit which USB devices are permitted to connect to their systems by maintaining an approved device list. This is a technical control that complements the written removable media policy.

Approaches to device management include:

• Endpoint management software — tools such as Microsoft Intune, Jamf, or similar endpoint management platforms can restrict USB device connections to specific approved devices based on vendor ID, product ID, or serial number
• USB device control policies — many anti-malware solutions (BC.3) include USB device control features that can block, allow, or monitor USB connections
• Disabling USB storage ports entirely — for high-security environments or workstations where USB storage is not needed, USB mass storage can be disabled at the operating system level while keeping USB keyboards and mice functional
• Read-only mode — some organizations allow USB devices to be read but not written to, preventing data from being copied out of the organization onto portable media

The appropriate level of restriction depends on the organization's operations and risk tolerance. Some businesses may need USB access for daily operations; others may be able to eliminate it entirely.

Secure Disposal

When portable media reaches the end of its useful life — or when it has contained sensitive data that is no longer needed — it must be disposed of securely. Simply deleting files or formatting a USB drive does not reliably remove data; recovery tools can often restore deleted files from formatted media.

Secure disposal methods include:

• Cryptographic erasure — if the device was encrypted, destroying the encryption key renders the data unrecoverable
• Overwriting — using specialized software to write random data over the entire storage area multiple times
• Degaussing — using a strong magnetic field to erase magnetic media (effective for hard drives, not for flash-based USB drives)
• Physical destruction — shredding, crushing, or incinerating the device; this is the most certain method and is recommended for media that contained highly sensitive data

Organizations should document their disposal process and maintain records of when and how portable media was destroyed, particularly for media that contained personal information subject to PIPEDA.

Getting Started

For Canadian small and medium organizations looking to address portable media risks, the CCCS Baseline Controls suggest the following practical steps:

1. Write a removable media policy — even a one-page document that states what is and is not permitted
2. Disable autorun on all organizational computers
3. Issue encrypted USB drives — if USB use is required, provide company-issued encrypted devices and prohibit personal drives
4. Configure anti-malware to scan removable media — ensure that USB devices are automatically scanned when connected, aligned with Baseline Control BC.3
5. Train employees — include portable media risks in your security awareness training program (BC.6)
6. Take the free cybersecurity assessment to evaluate your organization's posture across all 13 Baseline Controls

Frequently Asked Questions

Should Canadian businesses ban USB drives entirely?

Not necessarily. The CCCS Baseline Controls recommend that organizations establish a policy governing the use of portable media rather than requiring an outright ban. For some organizations, restricting USB use to approved, encrypted devices is more practical. Others may choose to disable USB storage ports entirely if portable media is not required for business operations.

What types of portable media does this control cover?

This control covers all forms of removable storage that can be connected to organizational systems. This includes USB flash drives, external hard drives, SD cards, optical media (CDs and DVDs), and any other device capable of storing and transferring data. The risks are similar across all types: data loss, data theft, and malware introduction.

How should a small business dispose of old USB drives and external hard drives?

The CCCS recommends secure disposal of portable media that has contained sensitive information. Simply deleting files or formatting the drive is not sufficient, as data can often be recovered. Organizations should use certified data destruction methods — such as cryptographic erasure, degaussing, or physical destruction — depending on the sensitivity of the data and the type of media.