USB drives, external hard disks, SD cards, and other removable media devices are among the most overlooked security risks in organisations of every size. They are portable, convenient, and almost universally used. They are also one of the most consistent pathways for malware to enter networks, including networks that are otherwise well-protected.
The challenge is not simply that removable media can carry threats. It is that the same devices are operationally necessary in most environments. Software updates, file transfers, diagnostic tools, engineering data, and maintenance records all move on removable media every day. Banning USB drives outright is rarely practical. Managing them properly is.
If you want to understand how significant the threat is before getting into controls, our post on why USB devices remain one of the biggest hidden cyber threats covers the risk landscape in detail.
This guide covers the removable media security best practices that matter most, from policy foundations through to technical controls, with particular focus on the environments where the stakes are highest.
Why removable media remains a serious threat
Removable media has been responsible for some of the most consequential cyber incidents on record. Stuxnet, the most studied malware attack in history, was introduced to an air-gapped industrial facility via an infected USB drive. The FBI has issued multiple warnings about organised cybercrime groups physically mailing malicious USB devices to organisations, with devices configured to automatically execute ransomware on connection.
These are not isolated incidents. Research consistently identifies removable media as one of the primary vectors for malware entering both IT and operational technology (OT) networks. The threat is particularly acute in environments where:
- Systems are air-gapped and USB is the only practical data transfer method
- Legacy infrastructure cannot run modern endpoint security software
- Third-party contractors and visitors regularly bring devices onto site
- High device volumes make manual checking impractical without a structured process
Understanding the risk profile of your specific environment is the starting point for any effective USB cybersecurity strategy.
How risk varies by environment
Not all environments carry the same level of removable media risk. The controls appropriate for a corporate office are not always sufficient for an industrial plant, a defence facility, or a vessel at sea.
| Environment | Primary risk | Key challenge | Recommended control level |
| Corporate IT | Data exfiltration, ransomware | Volume of devices in use | Policy, enterprise USB security controls, scanning |
| Industrial and OT | Operational disruption, safety incidents | Legacy systems cannot run endpoint AV | Hardware-based scanning at entry point |
| Defence and government | Espionage, classified data compromise | Classified networks, contractor access | Hardware scanning, audit logging, strict policy |
| Maritime | Navigation and operational system infection | Offline operation, third-party contractors | Ruggedised offline hardware scanning |
| Healthcare | Patient data breach, system disruption | Legacy medical devices, regulatory exposure | Policy, scanning, device registration |
| Oil and gas | Safety system compromise, operational shutdown | Remote sites, contractor USB dependency | Offline hardware scanning, contractor controls |
Removable media security best practices
1. Define and enforce a removable media policy
A written policy is the foundation everything else sits on. Without one, technical controls exist in isolation and staff have no clear standard to follow. An effective removable media policy should cover:
- Which device types are permitted and which are prohibited
- Who is authorised to use removable media and under what circumstances
- The process for requesting approval to use a device not on the approved list
- What happens when a device is lost, stolen, or suspected of being compromised
- Specific requirements for contractors and third parties bringing devices on site
- Consequences for policy violations
The policy should be reviewed at least annually and any time a significant incident or change in working practice occurs. For more on building an effective policy framework, our guide to removable media cyber security covers the governance principles in detail.
2. Maintain an approved device register
Allowing any USB device to be connected to any system is an unacceptable risk in most professional environments. Organisations should maintain a register of approved devices, with each registered device:
- Assigned to a specific user or department
- Labelled and tracked through its lifecycle
- Removed from the register when decommissioned or reported lost
Device registration does not prevent a threat from being carried on an approved device, which is why it must be combined with scanning. But it does significantly reduce the attack surface from unknown or unaccounted hardware.
3. Scan all removable media at the point of entry
This is the single most important technical control for organisations handling sensitive data or operating in high-security environments. Every device that enters the environment, including approved, registered devices, should be scanned before connection to any system.
The approach to scanning matters as much as the act of scanning itself.
Software antivirus installed on host systems scans after the device has been connected. If the device carries firmware-level threats such as BadUSB attacks, zero-day malware, or threats that activate on connection, the host system is already exposed before any scan result is returned.
Hardware-based scanning stations address this by inspecting the device in a completely isolated environment before it reaches any host system. The host is never exposed during the scan. This approach, sometimes referred to as a sheep dip station in defence and industrial contexts, is the established standard for high-security environments. This distinction is critical in environments where:
- Host systems run legacy operating systems that cannot support modern endpoint AV
- Air-gapped networks mean cloud-based threat intelligence is unavailable
- Devices are brought in by contractors whose previous usage history is unknown
Tyrex K-REX stations run five antivirus engines and two anti-malware engines simultaneously in a hardened, isolated hardware environment. They operate fully offline, produce a scan log for audit purposes, and require no installation on host infrastructure. For a full overview of how hardware scanning works across different deployment scenarios, visit the removable media security solutions page or the main USB malware removal solutions hub.
4. Encrypt sensitive data on portable devices
Any sensitive data stored on a removable device should be encrypted. If a device is lost or stolen, encryption ensures the data is unreadable without the decryption key.
AES-256 encryption is the current standard for data at rest on portable media. Organisations should consider whether encryption is enforced automatically through endpoint software, or whether it depends on the user applying it manually. Manual processes introduce human error and should be treated as unreliable in high-risk environments.
For classified or highly sensitive information, encryption alone is not sufficient. Physical security of the device and strict chain of custody procedures are also required.
5. Apply least-privilege access controls
Not every user or department has a legitimate need to use removable media. Access to USB ports and other removable media connections should be restricted based on role and operational requirement.
Where USB access is not required, ports should be disabled through endpoint management tools or physical port locks. Where access is required, it should be limited to approved device types only, with logging of every connection event.
6. Train staff on removable media risks
Technical controls reduce risk significantly but do not eliminate the human factor. Staff should understand:
- Why unknown USB devices should never be connected to any system, including at home
- How social engineering attacks using USB devices work, including the USB drop attack
- What to do if they find, receive, or are given a USB device they were not expecting
- The internal process for reporting suspected incidents or lost devices
Training should be repeated regularly, not delivered once at onboarding and forgotten. Threat awareness evolves, and so should staff understanding of removable media risks.
7. Manage contractor and third-party devices separately
Third-party contractors represent one of the highest-risk removable media scenarios in most secure environments. They arrive with devices that have been used across multiple sites, organisations, and operating environments, often without any structured security checking.
Best practice for contractor device management includes:
- Requiring all contractor devices to pass through a dedicated scanning station before connection to any organisational system
- Providing organisation-owned, pre-scanned media for contractors to use on site where possible
- Logging all contractor device scans and retaining records for audit purposes
- Briefing contractors on the removable media policy before they begin work
For defence and government environments specifically, contractor device management is often a compliance requirement rather than an optional control. Our dedicated post on government cybersecurity and removable media controls covers what those requirements look like in practice.
8. Maintain audit logs and scan records
Every removable media interaction should be logged. Audit records should capture:
- The device identifier or serial number
- The date, time, and location of the scan or connection event
- The user who performed the scan or connected the device
- The scan result and any threats detected
- Actions taken in response to any positive detection
Audit logs serve two purposes: they support compliance with security standards and they provide the evidence needed for effective incident investigation. Many frameworks including ISO 27001, IEC 62443, and Cyber Essentials Plus require demonstrable audit trails for removable media controls.
9. Establish a secure media disposal process
Removable media that has reached end of life presents a data risk if not properly handled. Devices should be wiped using a recognised sanitisation process before disposal or reuse.
NIST SP 800-88 provides internationally recognised guidance on media sanitisation methods including overwriting, degaussing, and physical destruction. For classified media, physical destruction is typically required. All disposal events should be logged with the same rigour as other removable media interactions.
Best practices for high-security and air-gapped environments
Organisations operating air-gapped networks face a specific challenge. Because there is no internet connection, removable media is often the only mechanism for transferring data in or out. That makes it not just a security consideration but a core operational dependency.
In these environments, standard best practices apply with additional rigour:
- Scanning is not optional. It is the only technical control standing between an external device and the protected network
- Software-based scanning on host systems is insufficient where hosts run legacy OS or cannot be guaranteed to be uncompromised
- A dedicated hardware scanning station at the network boundary is the appropriate solution
- Offline definition updates must be managed through a controlled process rather than cloud-based updates
- All transfer events must be logged for compliance and incident investigation
For a broader look at how organisations secure data movement in isolated environments, our guide to air-gapped network security and risks covers the wider architecture and policy considerations.
Defence and government organisations, industrial control systems environments, oil and gas operations, and maritime operations all rely on air-gapped or partially isolated networks where this approach applies directly.
For sector-specific guidance on maritime removable media risks, our post on maritime anti-virus and USB security for ships covers the operational and compliance picture in detail. For industrial environments, the ICS security blog explains why OT networks are particularly exposed.
UK compliance frameworks for removable media security
A well-designed removable media security programme should align with the relevant standards for your sector. The table below covers the frameworks most relevant to UK organisations.
| Framework | Issued by | Removable media relevance |
| NCSC Removable Media Controls | National Cyber Security Centre | Specific guidance on scanning, policy, and technical controls for UK organisations |
| Cyber Essentials and Cyber Essentials Plus | NCSC and IASME | Baseline controls required for UK government supply chain; Plus tier requires verified removable media controls |
| ISO 27001 | ISO | Requires defined procedures for handling removable storage, including access controls and disposal |
| IEC 62443 | IEC | Industrial cybersecurity standard covering removable media controls for OT environments |
| JSP 440 | Ministry of Defence | Removable media scanning and authorisation requirements for classified MOD environments |
| UK NIS Regulations | UK Government | Applies to operators of essential services; requires risk-appropriate controls on removable media |
Frequently asked questions
What is a removable media security policy?
A removable media security policy is a formal document that defines how portable storage devices may be used within an organisation. It sets out which devices are permitted, who may use them, the conditions under which they may be used, and the controls that must be applied before any device connects to an organisational system.
What is the biggest risk from removable media?
The most common risks are malware introduction and data exfiltration. Removable media bypasses perimeter security entirely. A USB drive that carries malware enters the network at the point it is connected, not through any network boundary that firewalls or monitoring tools can intercept.
Can antivirus software protect against all removable media threats?
No. Standard antivirus software scans files on the device after it has been connected to the host system. Firmware-level attacks such as BadUSB are not stored as scannable files and bypass file-based scanning entirely. Hardware-based scanning stations that inspect the device before it reaches any host system provide stronger protection, particularly in high-security environments.
Do Cyber Essentials requirements cover removable media?
Yes. Cyber Essentials requires controls on removable media usage, and Cyber Essentials Plus requires independent verification that those controls are in place. Organisations bidding for UK government contracts that involve sensitive data are expected to hold at least Cyber Essentials certification.
How should removable media be disposed of securely?
Devices should be sanitised using an approved method such as overwriting, degaussing, or physical destruction before disposal. All disposal events should be logged. For classified or highly sensitive data, physical destruction is typically required to meet the relevant security standard.
What healthcare-specific considerations apply to removable media?
Healthcare environments face particular challenges with removable media because many medical devices run legacy operating systems and cannot support modern endpoint security software. USB scanning at the point of entry is the most practical control for environments where host-based AV cannot be relied upon.
The bottom line
Removable media security is not a solved problem. It is an ongoing operational discipline that requires the right policy, the right technical controls, and consistent enforcement across everyone who uses or brings portable devices into contact with organisational systems.
The organisations that manage it well treat every USB device as untrusted until proven otherwise, with a formal, hardware-enforced scanning process that sits between the external device and the protected network, regardless of who the device belongs to or how familiar it looks.
Find out how Tyrex supports removable media security across enterprise, industrial, and defence environments.
