Removable devices have become commonplace tools in today’s work environment. They include everything from optical disks and memory cards to smartphones, USB flash drives, and external hard drives. An advantage of removable devices is that employees can easily take files with them when working from home or traveling for business off-site. However, despite their usefulness, removable devices have long been labeled a security risk. Unencrypted, insecure, and at times infected, they can facilitate the spread of malware on a corporate network and the exfiltration of sensitive data from company computers.

USBs, in particular, have a long history as the starting point of major data leaks and as a popular attack vector for the infection of company networks. According to the 2019 SANS State of ICS Cybersecurity Survey, 56% of attacks on operational technology and industrial control systems were initiated through direct physical access via a USB stick and other company equipment. USBs can also be used to boot up a computer and bypass login credentials to access unencrypted hard drives.

As a consequence, device control tools have become a crucial component of data protection strategies, allowing organizations to control and restrict the use of removable devices. Our Data Loss Prevention (DLP) solution, Endpoint Protector, has an entire module dedicated to Device Control that includes some of the most advanced features on the market for the control of removable devices.

Let’s take a closer look at how they work!

Limit or block the use of removable devices

Seeing the worrisome list of risks that come with them, many companies might be tempted to block the use of USBs and removable devices altogether. This can easily be done through Endpoint Protector’s Device Control module, which can block the use of USB and peripheral ports as well as Bluetooth connections, ensuring no device can connect to a work computer.

In many cases, however, by eliminating the use of removable devices, companies can hinder employees in their day-to-day tasks and force them to seek alternative file transfer solutions online. This can bring an entirely new category of data security risks into play. And while these can be addressed through other DLP features such as Endpoint Protector’s Content Aware Protection module, businesses can also choose to restrict the use of removable devices rather than block their use entirely.

Through Endpoint Protector’s Device Control module, companies can assign different levels of trust to devices based on their level of encryption. In this way, only removable devices with a high level of security are allowed to connect to endpoints.

Granular policies

The policies organizations can apply to removable device use through Endpoint Protector are not limited to devices’ level of security or global settings for all company computers. Different rules can be created for particular groups, users, or computers.

In this way, companies can choose to enforce stricter policies for employees that work with sensitive data directly regularly while allowing the rest of their workforce a greater degree of liberty. Alternatively, they can choose to apply a company-wide block of removable devices but make exceptions for particular individuals or departments that need them to perform their daily tasks. There is also a read-only setting that permits users to read files on removable devices but blocks file transfers to and from them.

Stricter policies out of the office

With the rise of bring-your-own-device (BYOD) policies and remote work during and in the wake of the COVID-19 pandemic, organizations have increasingly allowed work computers to be taken out of the security of the company networks. Endpoint Protector, just as its name suggests, is a DLP solution applied at a computer rather than network level, which means its policies will continue to be active whether a work device is in an office environment or at home.

Companies can go one step further to ensure the security of sensitive information outside of the office: they can enforce stricter device control policies outside office hours, the company network, or both. They can define working days and hours as well as a company network’s DNS and ID in Endpoint Protector’s dashboard and then set different rules based on them.

Offline temporary passwords

Emergencies happen, especially when employees might be out of the office: they may need to use a removable device to quickly transfer or view files for a meeting or client. For just such cases, Endpoint Protector offers administrators the possibility to generate an offline temporary password that, when used, grants temporary unrestricted access to a specific device, computer, or user.

Intuitive cross-platform interface

One of the greatest features of Endpoint Protector is its ease of deployment and use. Requiring no extensive training nor burdensome implementation periods, Endpoint Protector can be up and running in a few hours. Not only that, as a cross-platform solution, it offers feature parity for Windows, macOS, and Linux, ensuring the same device control policies are applied to work computers regardless of the OS they are running on.