“Is this safe?” seemed to be the first question out of everyone’s mouth when a colleague of mine was handing out USB memory sticks at the recent MIT Sloan CIO Symposium.
The tiny memory sticks did not contain malicious material — only tips and information on health IT — but practically everyone had a story to tell of how they had been burned in the past by the innocuous-looking swag.
One CIO of a midsized pharmaceutical company told me that he had just gone through a memory stick nightmare the day before. A USB stick he had been expecting from one of his vendors arrived in the mail and no one thought twice about using it. “You’re supposed to trust these people,” he said.
Turns out, the stick was infected. The infection (he declined to share exactly what it was) soon spread through part of his company’s network and cost four hours of cleanup time that day.
“I will never trust these things again,” the CIO said, “especially the ones you get at conferences, because you really have no idea where it’s been or what’s on it.”
Another suspicious passerby told me that he had recently completed some internal security training in his company and was told simply not to use them, period.
While the concern isn’t new (the risks of USB storage devices have been highlighted for a while), I have to admit I was surprised by the number of people who had something to say about it. Of the 25 or so people I interacted with firsthand on this topic, I would say at least 20 of them questioned the security of the small handout.
More surprisingly, however, was the number of the people who had a horror story (or knew of someone who did) and still took the drive. In fact, I only saw one person refuse it.