my-cumbria-logo, Toggle navigation

cs_portable, Portable media security icon

As useful as you think your USB pen-drive / flash-drive / external hard-drive might be, they do present a number of major security risks including loss of data, theft of data, file corruption, malware and breaches of GDPR laws. In this section we will refer to all USB portable media as "pendrives".

The following information describes these issues and shows you how you can reduce the risks by binning your pendrive and switching to the cloud.

 

  • What's on your pendrive?

    So you have a pendrive and it can store 64GB of files on it. Let's translate that into some common file sizes:

    File typeAverage sizeNo. of files you can fit in 64GB
    Video (full movie) 1.5gb 40 
    Video (from mobile) 30mb 2,100 
    Audio file 3.5mb 18,700 
    Photograph 4mb 16,300 
    PowerPoint 250kb 268,000 
    Word document 120kb 559,000 

    Although it is unlikely you would store these quantities of files on an individual pendrive; whilst looking at the following risks, consider how much data you can potentially lose if things go wrong.

    So, what is actually on your pendrive?

    Personal documents? Bank statements? CV? Personal photos? Your assignments? The latest draft of your dissertation?

    Can you afford to either lose these files or give access to a stranger?

  • Pendrives - The Risks

    Pendrives get lost or stolen

    Every year University of Cumbria staff find hundreds of pendrives that have been left behind in computers (in the libraries and IT labs) and although most of these are returned to their owners, about 10-15% remain unclaimed.

    Pendrives are small and are the type of object that you stick in a pocket or throw in a bag. This makes it really easy for you to lose them or put them through the washing machine (pendrives are not normally waterproof).

    It is also common for students and staff to leave a pendrive unattended whilst it is plugged into a computer. You may have just nipped to the printer or the toilet, but that pendrive is now available for a thief to steal.

    If your pendrive is lost or stolen, can you replace all of the lost files? Personal photos, your current assignment(s), certificates, etc.

    Is there anything on the pendrive that you would not want another person to see? Personal and/or intimate photos, financial information, information about others that might breach GDPR law, etc.

    Media failure

    Pendrives break! It is not unusual for a pendrive to completely fail. This can happen whilst you are using it (often in the middle of saving a file) or at the point where you plug it into a computer. The failure can be physical (getting snapped), but is more likely to be digital (all your data gets scrambled and cannot be accessed).

    Even if you buy a pendrive with a lifetime guarantee, the guarantee is only for the physical pendrive and does not cover any of your lost files. The producer will send you a new replacement pendrive, but all of your files are lost.

    If your pendrive fails, can you replace all of the lost files?

    There are a number of data recovery programs that can attempt to retrieve files from failed pendrives, but some are quite expensive and do not always work. If this has happened to you, contact the IT Service Desk for advice.

    Which pendrive?

    Pendrive users will often have more than one. So you hand a pendrive to a colleague, so they can access your joint presentation. Did you hand them the right pendrive or have you just given them one full of personal photos and information?

    It's a simple mistake to make, especially if you are in a rush.

    Do you want the other person to see your personal files? 

    Finding a pendrive

    There is one simple rule.

    If you find a pendrive - NEVER PLUG IT INTO A COMPUTER!

    In 2016, Google and the University of Illinois scattered 297 pendrives around campus for students and staff to find. 48% of them were subsequently plugged into computers. Google knows this because they placed hidden tracking software on the pendrives that contacted them every time one of the pendrives was used.

    A criminal can do the same thing, but along with tracking software they can download the entire contents of your computer or upload viruses (and other malware) onto it.

    If you find a pendrive, then hand it in for the owner to retrieve. At university - hand it in to the library. In public - hand it in to the police.

    Don't risk your own security because of a little curiosity.

    Pendrive malware

    Viruses, trojans and other nasty programs exist with versions that target removable media such as pendrives. The reasoning is that if you pick up this type of malware whilst surfing the web, then it can infect your pendrive which will then be plugged into another computer at some point in the future. This second computer is then infected and can infect other pendrives when they are plugged in.

    Good antivirus software should reduce this risk, but not all computers are protected.

    Data security

    Do you keep any sensitive data on your pendrive? e.g.

    Students: Identifying information about clients, students or patients (from placement)?

    Staff: Student records, EC forms or other personal data?

    Losing a pendrive (loss or theft), that contains sensitive data, can have lasting consequences:

    Students can be removed from their course (by the university and/or the professional body).

    Students and staff can open themselves and the university up to prosecution for breach of GDPR laws.

     

  • Pendrives - Remove the Risk

    Removing the risks involved with using pendrives is quite simple and can be condensed into the following five rules:

    1. Get rid of all of you pendrives and store everything in the cloud

    The university provides you with a OneDrive that you can use to store, share and access all of your university-related files. This is the perfect way to keep all of your files in a safe, secure location that you can access from anywhere that has an internet connection.

    You can also upload and access your files from a mobile device.

    Most users will also have a personal email address that also comes with free and paid cloud storage options. Use this space to store your most important and/or treasured documents, photos and files:

    • Outlook / Hotmail - Free OneDrive
    • Gmail - Free Google Drive and Google Photos
    • Apple Mail - Free iCloud 

    2. If you must use a pendrive - only use it for the file(s) that you need for that task

    Sometimes you think you need to transport a file or files by pendrive. This may be that you feel you need to carry a backup copy of a presentation to a classroom, assessment or conference.

    Using pendrives remains risky, but if you must use one - make sure you only store the essential file(s) on it. If it is for a presentation, then the only file should be the presentation. If the pendrive gets lost, stolen or broken, then you have lost almost nothing.

    3. If you must use a pendrive - make sure it is encrypted

    Even though you are only going to use a pendrive for carrying the occassional one or two backup files, adding encryption (password protection) to the pendrive will prevent anyone else from viewing your files.

    Most good pendrive makers now include some security tools and encryption software on the pendrive when you buy it. Make sure you switch it on and use a strong password.

    4. Destroy all pendrives, flash-drives and external hard-drives when you are finished with them

    Now that you are getting rid of all your pendrives (or you have a broken one lying around), you need to make sure that no-one can ever access your data.

    Even after you have wiped (deleted all files) from a pendrive, it can be possible to recover some or all of the original data. You should always use a Secure Delete or Secure Wipe option to clear your data. You should not pass on old pendrives for someone else to use. Do not sell old drives on sites like eBay because the buyer may just be trying to recover your data.

    If in doubt - secure wipe the drive and then smash it. A hammer is good for this.

    5. Never plug a found pendrive into a computer

    Never, ever, ever, ever plug an known or found pendrive into any computer. This should only ever be done by a security expert. 

Edit page