A: Let’s start with this: Federal cybersecurity guidelines are that any portable external storage (USB drive, thumb drive, flash drive, SD card, etc.) are not to be permitted. This is a mandate for government systems, government contractors, health care providers, and financial organizations. It should be a mandate within your organization.

There is a reason for this madness.

One of the common methods of infecting computers with malware or allowing a hacker to access a computer is through portable external storage devices. This can be done in dozens of ways. But just to name a few:

  • The storage device is compromised at the factory (this has happened numerous times).
  • The storage device is left on the ground by the criminal, knowing that around 1/3 of people will pick it up and try to see what is on it.
  • The storage device may have been attached to another computer, and that computer is compromised, and therefore infected the external storage device.
  • The storage device may hold an electrical charge or be wired to short out your system.


  • Use cloud storage to share data – Google Drive, Dropbox, Box, etc. are excellent options.
  • Your IT department should have an air-gaped computer specifically just for dealing with portable external storage devices. They can take the device, plug it into this sacrificial computer and scan it for problems. If it passes, you may now use the device.

Not meaning to be a hard-ass about it, but really, truly, DO NOT HAVE A PORTABLE EXTERNAL STORAGE TOUCH YOUR COMPUTER (unless it has passed a security audit by your IT staff). Doing so places your computer and the integrity of your company data at high risk. And depending on your organization, may subject the organization to very hefty compliance violation fines.