That USB drive on your desk might be the easiest way into your business

Here's a scenario that plays out often enough to be a pattern, not a one-off: someone finds a USB stick in the car park, or gets handed one at a trade show, or simply uses their own personal drive to move a file between their home computer and the office. They plug it into a work laptop without a second thought, because that's just what USB sticks are for. If that drive is carrying malware, every firewall, every piece of network monitoring, every carefully configured security header on the company website becomes irrelevant, because none of them were ever designed to stop something plugged in directly.

Cyber Essentials asks about exactly this under CE4 Malware Protection: do you restrict the use of USB drives and removable storage? It's a control that sounds almost old-fashioned next to things like DKIM key strength or cross-origin headers, and that's precisely why it gets overlooked, even though the risk it addresses hasn't gone away.

Why a physical device bypasses your other defences

Most security controls a business puts in place are designed around network traffic: filtering what comes in through email, monitoring what connects over the internet, checking what an external attacker might reach from outside. A USB drive sidesteps all of that entirely. It's not arriving over the network. It's being physically connected to a device that's already inside every other layer of protection you have.

This is also why USB-based attacks remain a known route for malware specifically designed to spread once it's inside a network, rather than relying on tricking someone into clicking a link. The drive does the work that a phishing email would otherwise need to do, and it does it without needing to get past any email filter at all.

Why this is easy to overlook

USB drives feel mundane. They're not exotic attack tools in most people's minds, they're just the thing you use to move a presentation from one laptop to another, or to back up a few files, or to bring photos in from a phone. That familiarity is exactly why the risk doesn't register the same way a suspicious email does. Nobody trains staff to be suspicious of a USB stick the way they're trained to be suspicious of a strange attachment, even though the underlying risk is comparable.

It's also a control that's genuinely inconvenient to enforce well, which makes it tempting to leave unaddressed. Restricting USB access can interfere with entirely legitimate workflows, and businesses without a clear policy often end up with no restriction at all, simply because nobody wants to be the person who makes file transfers harder for everyone.

What restricting this actually looks like in practice

Restriction doesn't have to mean banning USB drives outright, though some businesses do choose that route for higher-risk environments. A more workable middle ground for most small businesses is disabling USB storage access by default at the device level, then allowing exceptions only where there's a genuine, identified business need, with company-approved drives rather than whatever happens to be lying around.

Most operating systems and endpoint management platforms support this kind of control natively, allowing USB storage to be blocked while still permitting other USB devices like keyboards and mice to function normally. Where staff do need to move files, encourage cloud-based transfer methods instead, shared drives, approved file-sharing tools, anything that doesn't depend on a physical device of unknown origin being plugged directly into a company machine.

Frequently asked questions

Does this mean staff can't charge their phones using a USB port on a work computer? Charging-only USB connections don't typically expose data transfer risk in the same way, though some stricter device policies disable all USB data functions as a precaution; most small businesses can reasonably allow charging while still restricting storage access.

What if a client or supplier needs to hand over files on a USB drive? Treat external drives as untrusted by default. Many businesses use a dedicated, isolated machine for scanning external drives before any file is moved onto the main network, rather than plugging an unknown drive directly into a normal work device.

Is this control more about external attackers or insider risk? It addresses both. An external attacker can use a dropped or gifted USB drive as a delivery method, while restricting removable storage also limits how easily data can be copied off company systems by someone already inside the business.

Does restricting USB access apply to phones plugged in for data transfer too? Yes, any removable storage device, including a phone connected in file-transfer mode, falls within the spirit of this control if it could be used to introduce malware or extract data.

How strict does this need to be to satisfy Cyber Essentials? There's no single mandated configuration, but assessors expect to see a deliberate restriction in place rather than unrestricted USB access left as the default across all devices.

Run a free scan of your domain and your CE Readiness checklist will walk through this and the rest of CE4 Malware Protection, ready before your assessor asks: olimpio.io/free-scan