Techhub

No USBs Allowed: A True Story of Innocent Insider Risk

Ryan Szedeli | Everfox
Ryan Szedeli
4 min read
Insider Risk Innocent Files 2 Hero

When it comes to Insider Risk, we’ve outlined why context is key. Human behavior is complex and understanding the “why” behind the “what” is critical to just and accurate investigations. Sometimes, upon taking a closer look at all the channels of evidence available. Activities that appear to be nefarious are actually just employees doing what they are told by their superiors. This was the case in our third innocence file. 
Several years ago, an individual triggered a “no USB allowed” policy. “No USB Policies" are cybersecurity measures that restrict or ban the use of USB drives and other removable media within an organization’s network. This kind of policy is implemented to prevent the risk of data theft, unauthorized data transfer, and the introduction of malware through infected USB devices. Policies are commonly enforced by disabling USB ports on company devices or controlling access via software. 

Insider Risk Policies: No USBs Allowed

By removing this capability, organizations reduce their attack surface and better control the flow of data. They strengthen endpoint security by preventing malicious devices from being connected to company systems and help companies comply with data protection regulations like GDPR and HIPAA

Organizational Benefits

No USB policies are often enforced selectively within organizations to balance security with operational needs. In this approach, only certain employees or departments, such as IT administrators or individuals handling sensitive data, are granted permission to use USB drives, while others are restricted. This selective enforcement is typically managed through software controls that allow administrators to configure permissions based on user roles or job functions. This ensures that critical operations continue uninterrupted while minimizing the risk of data breaches or malware infections, maintaining both flexibility and security. 

A True Story of Innocent Insider Risk

THE CASE - Potential Data Theft

The individual in this scenario didn’t have rights to use a USB at his company, and upon further investigation. Everfox discovered that several files were copied from a network drive onto the USB. Fortunately, due to our unrivalled User Activity Monitoring which collects behavioral data from multiple endpoint channels for full context of user activity, we also had irrefutable evidence of a conversation between this employee and his manager about files that a co-worker needed. The co-worker was having problems getting to a specific network due to IT issues, and the manager directed the employee to share those files promptly with his co-worker.

We analyzed the drive used, found it was a clean drive with no other files present, and was also an encrypted IronKey, which helped protect the file in transit. We also verified that this was a first offense for the employee. Upon the conclusion of evidence collection, we could easily determine the true nature of the situation:

The worker did, in fact, break a rule, but the contextual data surrounding the event clearly showed that it wasn’t malicious in nature.  

Case Closed.

This scenario is a common one. As employees strive to get work across the finish line, sometimes shortcuts are taken, especially when an urgent request comes in from a superior. Lesser Insider Risk Programs could have potentially incorrectly categorized this individual as a threat, which would have been problematic had it not been revealed that the employee was simply fulfilling the request of a manager.   

Scenarios of innocent insiders are the ones we hope to uncover, as they help everyone to learn and evolve policies and procedures to accommodate edge cases.

Of course, we do catch plenty of bad people doing bad things, however, the goal of any Insider Risk investigation should be to seek the unbiased truth – to protect the innocent as well as hold the guilty accountable. Due diligence is critical to uncovering the “why” behind the “what” to further evolve Insider Risk Programs into comprehensive and effective means to keep company IP safe and protect the workforce. 

When it comes to protecting your organization from insider threats and data loss, Everfox offers comprehensivereliable, and proven Insider Risk Solutions.

Chose Everfox User Activity Monitoring (UAM) and Insider Risk Management to safeguard your most critical assets, adhering to regulatory compliance, and maintain the integrity of your operations.