A recent article in CIO magazine highlights the potential security risks posed by using USB thumb drives. The premise of the article—that the firmware in these devices is generally not protected and can be replaced with malware that can infect your systems—sends chills down the spine of the risk-adverse lawyers and sourcing professionals involved in negotiating IT services contracts and associated security requirements.
While programmers are contemplating a long-term solution to this risk, companies should consider including specific requirements on limitations (or prohibitions) on the use of USB thumb drives in their security policies applicable to third-party vendors that have access to company computing devices. In addition, services contracts should address what will happen if the drives are used and the company's systems are infected or breached as a result, including the appropriate response actions and allocation of liability.