EU/GL: ENISA report on Secure USB Flash Drives

Published on: 19/06/2008
Last update: 23/06/2008
Description (short summary):
Over recent years, corporate end-users have increasingly needed to be fully mobile and connected, taking work home or out of the office to keep up their productivity. Staff needs to be able to synchronise files between a computer and the drive to allow key data to be backed up and available for use on the road or on other PCs. Thus, the use of mobile devices such as laptops, notebooks, universal serial bus (USB) flash drives, personal digital assistants (PDAs), advanced mobile phones and other mobile devices have proliferated in recent years.

In particular, personal storage devices such as USB flash drives have gained in capacity and have become ubiquitous in the enterprise environment. However, these devices are usually lacking in security, control and management tools and, in most cases, their use is not covered by a corporate policy foreseeing audit, backup, encryption or asset management.

Recent events have raised concern, leading organisations to understand that to secure corporate information stored on personal USB drives, new policies and technologies must be put in place. Often the measures organisations take to secure information stored on mobile devices are inadequate. Enterprises with highly regulated or sensitive data should consider controlling the use of plug-and-play devices. However, awareness of the risks and available safeguards is the first line of defence for security.

This document gives a brief outline of the corporate data which is susceptible to security breaches/incidents, and highlights potential risks associated with the innocent use of USB flash drives by employees of enterprises and also other less legitimate purposes such as smuggling information out of the company. Furthermore, it lists good practice guidelines which aim at helping readers to overcome obstacles within their organisations. The first step is to set clear security policies and make employees aware of them.

This paper targets IT departments, in particular IT managers and professionals, to ensure the ability to secure information on the network as well as the opportunity to manage data which enter and leave the company via these mobile devices. It also targets corporate end-users in general, to raise awareness of the risks related to the use of USB flash drives.

Original URL:

Number of pages:

Description of license: © European Network and Information Security Agency (ENISA), 2008

Nature of documentation: Official reports and studies


Type of document


media2118.pdf 1.8 MB