by The Computing Australia Group | Protect Your Business from Unknown USB Cyber Threats
USB devices are small, inexpensive and easy to carry, which is why they remain popular in workplaces, schools, homes and field-based businesses. Flash drives, external hard drives, memory cards, USB charging cables and other removable media make it simple to move files, back up data, install software and connect devices quickly.
That same convenience is also what makes USB devices a serious cyber security risk.
An unknown USB device may look harmless, but it can be used to install malware, steal business data, bypass network defences, compromise passwords or give attackers access to a computer system. For businesses, especially small and medium-sized organisations, one careless USB connection can create a much larger security incident.
Cyber security authorities continue to warn that portable and removable media need proper controls. The Australian Cyber Security Centre’s Information Security Manual recommends developing and maintaining a media management policy, encrypting data stored on media and sanitising media in certain situations to reduce cyber supply chain and data spill risks. CISA also warns that portable devices can introduce malware, especially when users copy infected files or when automatic opening features are enabled.
This guide explains the dangers of unknown USB devices, why cybercriminals still use them, and what your business can do to reduce the risk.
What Is an Unknown USB Device?
An unknown USB device is any USB-based item that cannot be trusted or verified. This may include:
- A flash drive found in a car park, office, conference room or public place
- A USB device received in the mail from an unknown sender
- A promotional USB drive handed out at an event
- A personal USB device used on a business computer
- A second-hand external hard drive
- A USB charging cable from an untrusted source
- A device that belongs to a visitor, contractor or former employee
- A USB drive that has been used on unmanaged or infected computers
Many people think of USB risks only in terms of flash drives. In reality, cyber security risks can come from many USB-connected devices, including keyboards, mice, chargers, phones, cameras, external storage devices and even novelty electronics.
The problem is simple: once a USB device is plugged into a computer, it may be trusted by the operating system before the user understands what the device is doing.
Why Unknown USB Devices Are Dangerous
USB attacks work because they combine technology with human behaviour. People are naturally curious. If someone finds a USB drive labelled “Staff Bonuses”, “Confidential HR Files”, “Photos”, “Payroll” or “Client List”, they may be tempted to plug it in to see what is inside.
Cybercriminals know this.
A USB attack does not always need a sophisticated hacking campaign. In some cases, the attacker only needs to leave infected USB drives in places where employees are likely to find them. Once one person plugs in the device, the attacker may gain a foothold.
That foothold can then be used to install malware, steal credentials, copy files, move laterally through the network or prepare for a larger cyberattack.
Common Risks of Unknown USB Devices
1. Malware Infection
One of the most common risks of USB devices is malware infection. Malware is malicious software designed to harm systems, steal data or give attackers unauthorised access.
A malicious USB device may contain infected files, scripts or programs that run when opened. In some cases, the malware may rely on the user clicking a file. In other cases, it may exploit weak device settings, outdated software or automatic execution features.
Once malware enters a computer, it may:
- Steal passwords or browser data
- Log keystrokes
- Encrypt files for ransom
- Install spyware
- Spread across the network
- Disable security tools
- Create a backdoor for future access
USB-borne malware is especially dangerous because it can reach systems that are not directly exposed to the internet.
2. Bypassing Network Defences
Most businesses invest in firewalls, email filtering, web protection and other perimeter security tools. These controls are important, but USB devices can bypass many of them.
A firewall is designed to monitor traffic moving in and out of a network. It cannot stop an employee from physically plugging a malicious USB drive into a workstation.
This is why removable media attacks are still relevant. They give attackers a way to bypass internet-based defences and reach devices from the inside.
Singapore’s Cyber Security Agency has warned that threat actors use USB drives to bypass network perimeter defences and spread malware inside organisations.
3. Data Theft
Unknown USB devices are not only used to install malware. They can also be used to steal data.
If an attacker has physical access to a computer, they may use a USB device to copy sensitive files quickly. In poorly secured environments, this could include:
- Customer records
- Financial documents
- Password files
- Business contracts
- Intellectual property
- Medical or legal records
- Employee information
- Client databases
Data theft can also happen unintentionally. For example, an employee may copy business files onto a personal USB drive to work from home, then lose the device or use it on an infected personal computer.
For regulated industries such as healthcare, finance, legal services and government contractors, this can become a serious compliance issue.
4. Credential Theft
Some malicious USB devices are designed to capture login credentials. They may install keyloggers, dump stored passwords or redirect the user to fake login pages.
Once attackers obtain a username and password, they may attempt to access:
- Email accounts
- Cloud storage
- Remote desktop tools
- Business applications
- Accounting software
- Customer portals
- VPN accounts
Credential theft is especially dangerous when multi-factor authentication is not enforced. A stolen password may be enough for an attacker to access company systems remotely.
5. Ransomware Delivery
Ransomware is one of the most damaging forms of cyberattack. It encrypts business files and demands payment in exchange for a decryption key.
While ransomware is often delivered through phishing emails or compromised websites, USB devices can also be used as a delivery method. A single infected drive can introduce ransomware into a system, especially if endpoint protection is weak or employees have unnecessary administrator permissions.
Once ransomware spreads, a business may face:
- Downtime
- Lost productivity
- Recovery costs
- Data loss
- Reputational damage
- Legal and regulatory consequences
A small USB device can therefore lead to a major business disruption.
6. Supply Chain Compromise
Not every infected USB device comes from a suspicious source. In some cases, devices may be compromised before they reach the user.
Attackers may target low-cost electronics, promotional drives or third-party suppliers. A business may unknowingly purchase or receive infected devices that appear legitimate.
The Australian Cyber Security Centre specifically notes that sanitising media before first use can reduce cyber supply chain risks, including the risk of new media containing malicious code.
This means businesses should not automatically trust a USB drive simply because it is new, packaged or purchased from a supplier.
7. Human Curiosity and Social Engineering
USB attacks often succeed because they exploit curiosity rather than technical weakness.
An attacker may deliberately label a USB drive with something tempting, such as:
- “Executive Salaries”
- “Confidential”
- “Staff Bonuses”
- “Client Contracts”
- “Private Photos”
- “HR Documents”
- “Redundancy List”
- “Project Files”
The aim is to make the person feel curious enough to open it.
This is a form of social engineering. Instead of attacking a system directly, the attacker manipulates human behaviour. That is why employee training is just as important as technical security.
8. Attacks on Industrial and Operational Systems
USB devices are commonly used in operational technology environments, including manufacturing, utilities, logistics and industrial control systems. These environments may use removable media for maintenance, updates, diagnostics or data transfer.
However, USB devices can introduce serious risks into systems where uptime and safety are critical. NIST has highlighted that portable storage media, including USB flash drives and external hard drives, continue to be useful for transferring data physically, but they create cyber security risks in operational technology environments.
For industrial businesses, the issue is not only data theft. A USB-borne attack could disrupt production, affect safety, damage equipment or interrupt essential services.
Why Cybercriminals Still Use USB Attacks
Many people assume USB attacks are outdated. That is not true. Cybercriminals continue to use them because they are simple, cheap and effective.
USB Devices Are Easy to Distribute
Attackers do not need to send thousands of phishing emails. They can leave a few USB drives in strategic locations, such as:
- Office reception areas
- Car parks
- Cafés near business districts
- Conference venues
- Shared workspaces
- Training rooms
- Public transport areas
Even if only one person plugs in the device, the attack may succeed.
They Can Reach Isolated Systems
Some systems are deliberately kept offline or separated from the internet. These are sometimes called air-gapped systems. USB devices are often used to move files in and out of these environments.
That makes removable media a tempting attack path.
They Exploit Trust
People often trust physical objects more than suspicious emails. A USB drive can feel less threatening because it is familiar and ordinary.
This misplaced trust is exactly what attackers rely on.
They Can Avoid Some Security Monitoring
Signs a USB Device May Be Unsafe
You should treat any unknown or unverified USB device as unsafe. However, extra warning signs include:
- You found it in a public place
- It has a label designed to create curiosity
- It was mailed unexpectedly
- It belongs to someone outside the business
- It has been used on a personal or public computer
- It contains strange file names
- It asks you to enable macros or run software
- Your computer behaves unusually after connecting it
- Security software displays a warning
- The device appears as something unexpected, such as a keyboard or network adapter
Even if none of these warning signs appear, the device may still be dangerous.
How Businesses Can Protect Against Infected USB Devices
1. Create a Removable Media Policy
Every business should have a clear policy for USB devices and other removable media. The policy should explain:
- Who is allowed to use USB devices
- Which devices are approved
- What types of data can be stored on them
- Whether personal USB devices are allowed
- How USB drives must be encrypted
- How lost devices should be reported
- How found devices should be handled
- How media should be sanitised or destroyed
- What disciplinary or compliance rules apply
The ACSC recommends that organisations develop, implement and maintain a media management policy to protect data stored on media.
A policy is not useful if it sits unread in a folder. It should be part of onboarding, cyber security training and regular staff reminders.
2. Use Endpoint Security and Device Control
Endpoint security protects individual devices such as laptops, desktops and servers. Modern endpoint protection can help detect malware, block suspicious behaviour and monitor USB activity.
Device control features can also restrict how USB devices are used. For example, your IT team can:
- Block all USB storage devices by default
- Allow only approved company-issued USB drives
- Permit read-only access
- Block unknown device types
- Log USB connections
- Alert administrators when unauthorised devices are connected
- Prevent data copying to removable storage
This reduces the chance of human error and gives the business better visibility.
3. Disable Autorun and Autoplay Features
Autorun and Autoplay features can automatically open or run content when removable media is inserted. While modern systems are safer than older ones, automatic execution still creates unnecessary risk.
Businesses should ensure these features are disabled through device settings, group policy or endpoint management tools.
This simple step can reduce the chance of malicious code launching automatically when a USB device is connected.
4. Encrypt Approved USB Devices
If your business allows USB storage, approved devices should be encrypted.
Encryption protects the data stored on the device. If the USB drive is lost or stolen, unauthorised people cannot easily read the files without the correct password, recovery key or authentication method.
Encryption is especially important for:
- Client data
- Financial documents
- Employee records
- Legal files
- Health information
- Intellectual property
- Business plans
- Password-protected exports
The ACSC’s media guidance states that data stored on media should be encrypted.
5. Keep Personal and Business USB Devices Separate
Employees should not use personal USB drives on business computers. Personal devices may have been connected to home computers, public machines, school devices or other unmanaged systems.
Likewise, business USB drives should not be used on personal computers unless the device is managed, encrypted and approved by the business.
Mixing personal and business media increases the risk of malware infection, data leakage and compliance breaches.
A simple rule works best: business data belongs only on approved business devices.
6. Train Employees Not to Plug In Unknown USB Devices
Technology alone cannot solve the USB problem. Staff need to understand the risks.
Employee training should make the message clear:
Do not plug in unknown USB devices. Report them to IT.
Training should also explain why. Employees are more likely to follow a rule when they understand the consequences.
Useful training examples include:
- A USB drive found in a car park
- A promotional USB from an event
- A device labelled “confidential”
- A contractor asking to use their own USB
- A staff member taking files home on a personal drive
- A lost USB containing customer data
This turns an abstract cyber security rule into real-world behaviour.
7. Provide Safe Alternatives for File Sharing
Employees often use USB devices because they need a quick way to move files. If the business does not provide a secure alternative, staff may find their own workaround.
Better options may include:
- Secure cloud storage
- Managed file-sharing platforms
- Encrypted company portals
- Secure email links
- VPN access
- Role-based access to shared drives
- Managed mobile device solutions
When secure tools are easy to use, employees are less likely to rely on risky USB transfers.
8. Scan Removable Media Before Use
If USB devices must be used, they should be scanned before files are opened. This should be done using updated security software on a controlled device, not on a critical business workstation.
For higher-risk environments, businesses can use a dedicated scanning station or isolated machine to inspect removable media before it is allowed near production systems.
This is especially useful for industries that rely on external suppliers, field technicians or operational equipment.
9. Limit User Permissions
Employees should not have local administrator access unless they genuinely need it. If malware enters a computer through USB, limited user permissions can reduce the damage.
A least-privilege approach means users only have the access they need to perform their role.
This can help prevent malware from:
- Installing system-wide software
- Changing security settings
- Accessing restricted files
- Spreading across the network
- Disabling protection tools
Permission control is one of the most practical ways to reduce cyber risk across a business.
10. Keep Software and Security Tools Updated
Attackers often exploit outdated software. If a malicious USB device contains malware designed to exploit a known vulnerability, updated systems are more likely to resist it.
Businesses should keep the following updated:
- Operating systems
- Web browsers
- Office applications
- Endpoint protection tools
- Firmware
- Drivers
- Backup software
- Remote access tools
Security updates should be applied promptly, especially for high-risk vulnerabilities.
11. Back Up Business Data
Backups are essential. If a USB-borne attack leads to ransomware, data corruption or system failure, reliable backups can help the business recover.
Good backups should be:
- Regular
- Encrypted
- Tested
- Stored separately from the main network
- Protected from unauthorised access
- Monitored for failure
- Capable of restoring critical systems quickly
Backups do not prevent USB attacks, but they reduce the damage when something goes wrong.
12. Monitor and Log USB Activity
Your IT team should know when removable devices are connected to company computers. Logging USB activity can help investigate suspicious incidents and identify risky behaviour.
Useful logs may include:
- Device name
- Device serial number
- Computer name
- User account
- Time and date of connection
- Files copied or accessed
- Whether the device was blocked or allowed
Monitoring is particularly important for businesses handling sensitive data.
What Should You Do If You Find an Unknown USB Device?
If you find a USB device in the office, car park, reception area or any public place, do not plug it into your computer.
Follow these steps:
- Do not connect it to any device.
- Do not give it to another employee to inspect.
- Place it somewhere safe.
- Report it to your IT team or manager.
- Let IT handle the device using a controlled process.
- If it was found near the workplace, treat it as a potential security incident.
Curiosity is exactly what attackers are counting on. The safest action is to report the device, not investigate it yourself.
What Should You Do If You Already Plugged In an Unknown USB?
If you have already connected an unknown USB device, act quickly.
Disconnect the device and report the incident to your IT team immediately. Do not try to hide the mistake. Early reporting can prevent a small issue from becoming a major breach.
Your IT team may need to:
- Isolate the computer from the network
- Scan the system for malware
- Review logs
- Check whether files were copied
- Reset passwords
- Inspect other connected systems
- Report the incident if sensitive data was exposed
The sooner the issue is reported, the better the chance of containing it.
USB Security Checklist for Businesses
Use this checklist to improve your organisation’s USB security:
- Create a removable media policy
- Block unknown USB storage devices by default
- Allow only approved and encrypted USB drives
- Disable Autorun and Autoplay
- Keep endpoint security active and updated
- Train employees not to plug in unknown devices
- Separate personal and business devices
- Use secure cloud-based file sharing where possible
- Scan removable media before use
- Monitor USB connections
- Limit local administrator access
- Maintain tested backups
- Report lost, found or suspicious USB devices immediately
- Review your policy regularly
USB security does not need to be complicated, but it does need to be consistent.
Final Thoughts
Unknown USB devices are a small but serious cyber security threat. They are easy to overlook because they are familiar, cheap and convenient. But that is exactly why cybercriminals continue to use them.
A single infected USB drive can introduce malware, steal data, bypass network defences or trigger a larger business-wide security incident. The risk is even higher when employees are not trained, endpoint controls are weak or businesses allow personal devices to connect freely to work computers.
The best defence is a combination of clear policies, technical controls, staff awareness and secure alternatives for file sharing. Businesses should treat unknown USB devices as untrusted by default and make sure employees know what to do when they find one.
For help protecting your business from USB-based threats, malware, ransomware and other cyberattacks, contact or email at cybersecurity@computingaustralia.group. Our cyber security team can help you strengthen your endpoint protection, improve staff awareness and build practical defences that reduce business risk. Our Cybersecurity experts in Perth are available 24/7 to assist you.
Jargon Buster
Malware – A collective name for malicious software intentionally created to cause damage to computers, networks and users. Common types of malware include viruses, ransomware, spyware, adware and trojans.
USB– Universal Serial Bus is a plug and play interface that lets a computer to communicate with peripheral and other devices.
Gordon Murdoch
FAQ
Why are unknown USB devices dangerous?
Unknown USB devices can contain malware, spyware or malicious software that may infect your computer once plugged in. They can also be used to steal data, capture passwords or give attackers access to your business systems.
Can a USB drive install malware automatically?
Yes, in some cases a USB device can trigger malicious activity when connected, especially if a system has weak security settings, outdated software or unsafe automatic opening features enabled.
What should I do if I find a USB device?
Do not plug it into your computer. Report it to your IT department or manager immediately so it can be handled safely.
Should employees use personal USB drives on business computers?
No. Personal USB drives may have been used on unsecured or infected devices. Businesses should only allow approved, encrypted and managed USB devices.
How can businesses protect against USB cyberattacks?
Businesses can reduce risk by using endpoint security, disabling Autorun, blocking unauthorised USB devices, encrypting approved drives, training employees and maintaining reliable backups.
