USB Sticks & Removable Media
USB sticks and external drives are small, easy to lose, and a classic way to spread malware or walk data out the door. A USB stick you found is not a free gift — it may be bait. As a rule: don't plug in unknown devices, don't put company data on personal media, and hand anything suspicious to IT.
Removable media carries two risks. First, malware: attackers deliberately leave infected USB sticks where staff will find and plug them in ("if I plug it in, I can find the owner" is exactly the instinct they exploit). Second, data loss: copying company or customer data onto a USB stick or personal drive creates an unprotected copy that's trivial to lose or steal.
Most data transfer should happen through approved company systems, not physical media. When in doubt, don't plug it in and ask IT.
Don't plug in trouble
- NeverPlug a USB stick or device you found, were handed unexpectedly, or don't fully trust into a work device — give it to IT instead.
- DoCharge phones from your own adapter or a power bank rather than unknown USB ports, which can be tampered with (see Travelling Safely).
- DoReport finding an unexpected USB device, especially in or near the office — it may be a deliberate attempt to get in (see Report It).
Don't carry data out
- DoTransfer company data through approved company systems, not by copying it onto removable media.
- DoIf you genuinely must use removable media for company data, use approved, encrypted media and follow the proper process.
- NeverCopy customer or company data onto a personal USB stick, drive, or phone (see Handling Customer Data).
- AvoidLeaving USB sticks or drives with any work data lying around, in bags, or in cars — they're easily lost or stolen.
Ask yourself
- AskDo I actually know and trust where this device came from? If not, don't plug it in.
- AskIs there a proper, approved way to move this data instead of removable media?
- AskAm I about to put company or customer data onto something personal or unencrypted?