How to secure a thumb drive or an external hard drive?

Tech culture

Encrypting removable media makes it possible to guarantee that the data they contain will remain confidential.

Theft of confidential data is every company’s nightmare, and not without reason. Indeed, according to the PwC “data breach” barometer and the CNIL, in the first half of 2020, the number of data leaks increased by 20%.

In 15% of the cases, it’s the peripheral devices (thumb drives, hard disks, laptops) that are stolen. In 26% of cases, these leaks of sensitive files are accidental (loss of storage media, publication by mistake on the Internet, sending of files to the wrong recipient).

Knowing that USB devices (thumb drive, external hard drive) as well as memory cards (SD cards) are easy to duplicate, steal or lose. It’s imperative to define a strategy to secure thumb drives and disks.

Businesses must therefore set up management rules for the use of these storage devices and can rely on the French ANSSI (national agency for information systems security) recommendations to do so.


USB storage media (hard drives, thumb drives) are routinely used in professional environments.

Whether to backup data or exchange files between workstations, this usage of thumb drives must be supervised and secured using rules and good practices.

Over the past few years, large numbers of malware have spread throughout businesses, infecting workstations and servers. As soon as it is plugged into a USB port, the malware on the thumb drive infects the machine and then spreads through the company’s computer .

This attack method is particularly favored by hackers because in that case, it’s the employee who unknowingly brings the infected thumb drive into the business.

Whether it’s a thumb drive found on public transportation, for example, or a freebie from a trade show, your business can be the target of many attack scenarios. To guard against this threat, machines called sandboxes can be used before a new thumb drive is used on the computer network.

A sandbox is a computer whose purpose is to scan the thumb drive for computer viruses.

This method makes it possible to prevent the computer network from being compromised by infected devices.

Technical and organizational traceability of removable media (external hard drive, USB peripherals) guarantees that the hardware is used following the rules defined by the company.

A good practice is to visibly mark the hardware using a colored marking (a label) and an identification number. Each item of hardware is registered and assigned to a specific use.

This removable hardware can also be secured in a closed box dedicated to this purpose. It’s also recommended to physically block or disable USB ports on machines that don’t need them.

If you’re interested in traceability and physical hardware security, the French ANSSI has published the guide for the protection of critical systems in which you can find examples of attack scenarios and recommendations on how to secure USB devices.

Regardless of how you lose your data, the data stored on your storage device should be systematically encrypted. Encryption makes it possible to render any file format (text, video, audio) indecipherable.

In that way, to decrypt your data, only an authentication key or a password access the file contents.

Using symmetric encryption such as AES (military-grade encryption), your file will be secured against advanced attacks. If your thumb drive were to be stolen or accessed by an unauthorized person, the previously encrypted files will be impossible to use. Only unencrypted files could be read.

Note here that it’s not the device that’s encrypted but the data itself. Any thumb drive or USB hard drive on the market can store both encrypted and unencrypted data at the same time.

In businesses, it’s preferable to impose total encryption of removable USB media to make sure no sensitive data can leave the business on them. Quality encryption solutions can propose different behaviors when a thumb drive or USB hard drive are connected to a PC in the company network.

The risk of loss or theft of computer equipment is high when employees are mobile and as a result of the widespread adoption of telecommuting. Encrypting the hardware partitions (system and data) is recommended to prevent the disclosure of confidential information.

Using the CRYHOD solution developed by PRIM’X, the whole machine is encrypted.

Access to the machine is by pre-boot authentication (before the operating system starts up) using a password, a certificate or a usb security token.

The solution is deployed using common administration tools such as Microsoft System Center Configuration Manager (SCCM) and can use the Active Directory.

The hardware is thus secured throughout its life cycle: if the machine isn’t given a password or secret, it won’t start and the data will remain inaccessible. This protection extends to the hardware recycling phase.

To find out more about the CRYHOD solution, check out the solution product sheet.