Mobile Storage Devices: 5 Considerations to Help Manage an Often-Missed Security Risk

Sometimes the cybersecurity threats that organizations face are complex, organized and require sophisticated countermeasures to ensure your data is protected. However, this is not always the case. Sometimes your data security can be improved by looking at simple internal business processes that may present a vulnerability.

The use of mobile storage devices as part of your daily business operations is common to legitimately facilitate data storage, transport and sharing. These devices are inexpensive, available, easy to use and interchangeable on almost all types of hardware.

The National Institute of Standards and Technology (NIST) defines a mobile storage device as a "portable device that can be connected to an information system (IS), computer, or network to provide data storage...Examples include, but are not limited to: USB flash drives, external hard drives, and external solid-state disk (SSD) drives..."

While these devices can help your operations and administration, organizations should review their usage to ensure they are not presenting unnecessary risks to confidential and sensitive data.

Risks Posed by Mobile Storage Devices

Without the appropriate oversight and controls in place the use of these devices can pose significant risk to an organization's data. These devices can be susceptible to loss by employees or contractors, easily stolen when removed from the office and left in bags or vehicles, subject to external attacks due to improper storage, shared and transported without tracking, and easily accessed due to lack of password protection.

Castellan Information Security is offering the following 5 considerations as a simple approach to help you begin to determine how to manage the use of mobile storage devices in a manner that limits any potential risk to you information they may pose.


  1. Are you aware of the extent of usage of these devices and what risk they pose?

We have observed that some management teams are not aware of common practises or to what extent their staff and operations use mobile storage devices. Subsequently, they are unable to assess if this poses a real risk to their data. A good place to start is to ask questions about the use of these devices including how often they are used, what information do they contain and what controls do we have in place.

  1. Do you know where all of the mobile storage devices are located?

A good next step is to take inventory of where your mobile storage devices are located, who has been issued one and where are they kept. This will help provide a further picture on the possible risk that they present.

  1. Should your company / public organization use them?

While these devices are easy to use and have operational benefits, organizations should assess if they are truly required and does the risk outweigh the benefits. In our experience, it is common that some organizations, due to the nature of their work and the type of data they collect, should limit their reliance on mobile storage devices as it is not worth the security risk to their information.

  1. Do you have policies and processes in place to guide their usage?

If it is determined that these devices are important to your business operations, internal controls and processes must be established to properly manage this risk. Some internal controls can include:

  • Implementing a written procedure outlining how, when and where they can and can't be used.
  • Limiting the type of information that can be stored on these devices as well as who in the organization can use them (e.g., employees versus contractors). This would prevent your organization's most sensitive information from being stored outside of the most secure options.
  • Creating a tracking process to ensure the organization is aware of what devices are being used, who has possession of them and what information they contain.
  • Implementing measures to ensure data is removed from these devices to permanent secure storage after the mobile device is not required.
  1. Are Staff and Managers Trained?

A fundamental security measure organizations should implement is to offer annual information security training to managers, staff, and contractors. This training provides an overview of security threats, consequences, and counter measures they can adopt to protect the information they access. Included in this training should information on mobile security devices and covering internal processes governing the use of these devices.

Castellan Information Security is a Winnipeg-based 'end-to-end' information security company that specializes in information security and have worked with both large and smaller private and public organizations to help them reach their information security objectives. If you have questions about this article or would like to speak to us about how our services can help your company protect its information please feel free to contact us directly at

Ask us about our free preliminary security assessment and our Security Operations Centre (SOC) service that uses special detection technology and cyber experts to monitor your data on a live, 7/24 basis.


View More

Unite Interactive