February 20, 2026 Best Practices 10 min read

USB Drives and Portable Media: The Security Risk Sitting in Your Desk Drawer

By Cybersecurity Canada Editorial Team | Published February 20, 2026

There is a good chance there is a USB drive in your office right now — in a desk drawer, plugged into a workstation, or in someone's laptop bag. It might hold a backup from two years ago, a client presentation, or files from a former employee. Nobody thinks much about it. That's exactly the problem.

USB drives and other portable media — external hard drives, SD cards, and similar removable storage — remain one of the most overlooked attack surfaces for Canadian small businesses. They are simultaneously one of the easiest ways for sensitive data to leave your organization and one of the quietest ways for threats to enter it.

The Threat Is Not Theoretical

USB-based attacks are not a relic of the early 2000s. They are active, evolving, and increasingly sophisticated.

Honeywell's industrial cybersecurity research found that 51% of malware detected in industrial environments was designed specifically for USB devices — a nearly six-fold increase from 9% just five years earlier. In the first quarter of 2025 alone, 1,826 unique USB threats were detected across industrial environments, including 124 never-before-seen variants. Unauthorized USB plug-and-play activity was the most common incident category recorded by Honeywell's industrial monitoring service, accounting for 25% of the top incident types identified.

These numbers reflect industrial environments, but the underlying risk applies universally. If your business uses USB drives, the threat is relevant.

Nation-State Actors Are Using USB Drives

Between 2023 and 2025, CrowdStrike Intelligence tracked a series of USB-borne campaigns conducted by a China-nexus threat group using a custom USB worm engineered to silently propagate across removable drives and launch payloads for espionage. CrowdStrike confirmed this malware affected organizations in North America during 2025, demonstrating that USB-based attacks continue to cross geographic boundaries due to the uncontrolled nature of how removable media moves between systems.

This is not just a nation-state concern. Commodity malware campaigns in late 2025 used infected USB drives to automatically execute hidden files and drop cryptomining malware, along with remote access tools like AsyncRAT — turning a single plugged-in drive into a multi-stage intrusion.

USB Drop Attacks Still Work

A well-known study by researchers at the University of Illinois dropped 297 USB drives around a university campus. 45% of the drives were opened — with files accessed — and 98% were physically picked up. The first drive was connected within six minutes. Among those who plugged in the drives, 68% reported taking no precautions before doing so.

That study is from 2016, but the human behaviour it measured has not changed. If someone finds a USB drive in your parking lot or reception area, there is a meaningful chance it ends up connected to a machine on your network.

The Two Risks: Data Loss and Malware

Every time removable media connects to an endpoint, your business faces two distinct risks.

Data Exfiltration

A USB drive is one of the simplest tools for moving data out of an organization — intentionally or accidentally. An employee copying files to work from home, a contractor transferring project data, or a departing staff member taking records — none of these require any special tools or technical sophistication.

Most organizations still lack basic controls over removable media. Industry surveys have consistently found that a majority of organizations do not use USB port control or device whitelisting software, and fewer than half require employees to encrypt data stored on USB drives. That means in most Canadian small businesses, anyone with physical access to a workstation can copy sensitive data to a personal device with no logging, no encryption, and no oversight.

Under PIPEDA, your organization is responsible for personal information under its control. If customer data walks out the door on an unencrypted USB drive that is later lost or stolen, that is a breach — and it triggers reporting obligations.

Malware Introduction

A compromised USB drive can deliver malware the moment it is connected. Modern USB-based attacks go well beyond simply storing a malicious file on the drive:

• Autorun exploits execute malware automatically when the drive is inserted
• Firmware-level attacks reprogram the USB controller itself, making the drive appear as a keyboard or network adapter to bypass security controls entirely
• Worm propagation silently copies malware to every USB drive connected to an infected machine, spreading laterally across your organization

Unlike phishing emails, which your email filters and employee training can partially mitigate, USB-based malware bypasses network-level defences entirely. It is already inside your perimeter.

Encrypt Everything on Portable Media

If your business uses USB drives or external storage for any purpose, encryption is not optional — it is a baseline expectation.

The Canadian Centre for Cyber Security's Baseline Controls explicitly require the use of encryption on all portable media (BC.13.1). This means data stored on USB drives, external hard drives, and SD cards should be encrypted at rest, so that a lost or stolen device does not automatically become a data breach.

How to Encrypt USB Drives

For most Canadian SMBs, practical encryption options include:

• BitLocker To Go (Windows Pro, Enterprise, and Education editions) — Built into Windows, supports AES-256 encryption, and can be enforced through Group Policy across your organization. For environments with compliance requirements, BitLocker can operate in FIPS 140-2 validated mode.
• Hardware-encrypted drives — USB drives with built-in encryption processors (such as those meeting FIPS 140-2 Level 3 certification) that encrypt data automatically without relying on host software. These are more expensive but eliminate the risk of software misconfiguration.
• FileVault and Disk Utility (macOS) — Apple's built-in tools can encrypt external drives using AES-256.

The key principle is that encryption should be mandatory and enforced, not optional and hoped for. If your organization issues USB drives, they should be encrypted before they leave IT. If employees bring their own, your acceptable use policy should prohibit the use of unencrypted portable media for work data.

Dispose of Portable Media Properly

When USB drives, external hard drives, or SD cards reach end of life — or when they change hands — simply deleting files is not enough. Standard file deletion removes the directory entry but leaves the actual data intact and recoverable with freely available tools.

The Canadian Centre for Cyber Security's Baseline Controls require organizations to have processes for the sanitization or destruction of portable media prior to disposal (BC.13.2). This aligns with the sanitization framework established in NIST Special Publication 800-88, which defines three levels of media sanitization:

• Clear — Overwriting all user-accessible storage with non-sensitive data using standard tools. Suitable for media being reused within the same organization.
• Purge — Using techniques that render data recovery infeasible even with laboratory methods. This includes cryptographic erasure, where the encryption key is destroyed, making the encrypted data permanently unreadable.
• Destroy — Physical destruction through shredding, disintegration, or incineration. Required when media cannot be sanitized through software methods or when the data sensitivity warrants it.

For most SMBs, the practical approach is:

• For drives staying in the organization: Use a reputable disk-wiping tool that performs a full overwrite (Clear)
• For drives leaving the organization: At minimum, perform a Purge-level sanitization. For drives that held sensitive client data or personal information, physical destruction is the safest option
• For failed or damaged drives: Physical destruction is the only reliable method, since software-based wiping may not reach all storage areas on a malfunctioning device

Do not donate, sell, or recycle USB drives that have held business data without proper sanitization. A used drive sold online or dropped in an e-waste bin can become a data breach if it contains recoverable information.

The Policy Gap

Many Canadian SMBs have no written rules governing portable media use. There is no documented expectation about when USB drives are acceptable, what data can be stored on them, whether encryption is required, or how they should be disposed of.

Portable media controls are most commonly addressed within an organization's Acceptable Use Policy — the same document that typically governs employee use of company systems, internet access, and personal devices. In organizations with more mature security programs, portable media may also be referenced in a dedicated Data Handling or Information Classification policy, but for most small businesses, the Acceptable Use Policy is the natural home.

Regardless of where it lives, the key elements are straightforward:

• Only organization-owned portable media should be used for work data — personal USB drives introduce unknown risk
• Encryption is required on all portable media containing business or client information
• Approved devices should be tracked as part of your asset inventory, the same way you track laptops and phones
• Data should not live on portable media permanently — transfer files to secure, permanent storage and remove them from the drive
• Sanitization or destruction procedures must be followed before any portable media is reused, reassigned, or disposed of
• Employees should know what to do if a USB drive is lost, stolen, or found — including reporting it as a potential security incident

This does not need to be a complex document. It needs to be clear, communicated to all staff, and enforced. The same principle applies here as with AI tools — the goal is not to ban the technology, but to set practical rules for how it is used.

What You Should Do

If your business has not addressed portable media security, here is where to start:

1. Inventory what exists. Find out how many USB drives and external storage devices are in use across your organization. You cannot secure what you do not know about — this is the same principle behind software inventory as a security control.
2. Enforce encryption. Deploy BitLocker To Go or equivalent encryption on all portable media used for business data. Make this a requirement, not a recommendation.
3. Restrict unauthorized devices. Where feasible, disable USB ports on workstations that do not need them or use endpoint management tools to allow only approved devices.
4. Update your Acceptable Use Policy. Add clear rules for portable media — what is allowed, what is required, and what happens when devices are lost or reach end of life.
5. Establish disposal procedures. Define how portable media is sanitized or destroyed when it is no longer needed. Assign responsibility and document the process.
6. Train your team. Ensure employees understand that unknown USB drives should never be connected to a work computer — and that security awareness includes physical media, not just email.

The Baseline Control

The Canadian Centre for Cyber Security's Baseline Controls dedicate an entire control area to this topic — Portable Media (BC.13). It is one of the 13 fundamental control areas in ITSM.10.089 and it covers two core requirements: mandating the use of organization-owned, encrypted portable media (BC.13.1) and establishing processes for sanitization or destruction prior to disposal (BC.13.2).

These are not enterprise-scale requirements. They are achievable steps that any Canadian small or medium business can implement with modest effort and cost.

Our free assessment evaluates your organization across all 13 Baseline Control areas, including portable media security. It takes under 10 minutes and shows you exactly where your business stands — and where to start.