Surprisingly to no one, remote and hybrid work have changed the way we do business.  

While we have greater flexibility, a bigger talent pool and often better productivity, remote and hybrid work have enhanced a blind spot that keeps a lot of IT leaders awake at night: Shadow IT. 

Shadow IT is when employees use personal devices, unapproved apps, or other workarounds to get their job done outside the company’s official systems. More often than not, workers bringing their own technology into the workplace is not malicious; it’s someone just trying to be efficient. But even well-intentioned workarounds can lead to lost data, malware infections, compliance violations, and a headache for the IT team that has to clean it up. 

Because they are small and useful, portable storage devices — USB sticks, external drives, and SD cards — are among the most common tools used in shadow IT. The issue is that if these efficient, easy-to-use and portable devices are not secured the right way, they can easily put sensitive data in the wrong hands or introduce malware directly into your network. 

If your employees are working remotely or on the road, those risks multiply. The question isn’t whether you should manage portable storage – you should – it’s how.  

The Real-World Impact of Unmanaged Devices 

Recent research from my organization shows that two-thirds of organizations admit their remote or mobile workers knowingly put corporate data at risk in the last year, and nearly seven in ten believe their mobile workforce is likely to expose them to a breach in the future. 

Those numbers don’t mean workers are ignoring policies. In fact, 96% of organizations say they have a mobile or remote work security policy, and most believe employees try to follow it. The gap is in skills and tools. A full 73% say their people don’t have the technology or know-how to secure data properly. That’s a problem you can fix, but it takes more than good intentions. 

Why Banning USBs Isn’t the Answer 

Some companies have a knee-jerk reaction to the problem by banning all portable storage. While it might sound like a quick fix, it usually backfires. Employees still need to move data, especially in industries where file sizes are large or network connections are inconsistent. When the official tools are too slow or restrictive, employees will find unofficial ones. 

A more practical approach is to allow portable storage but keep it under control. That means: 

• Issuing only corporately approved, hardware-encrypted devices 

• Blocking ports from accepting anything else 

• Tracking and enforcing these rules in real time 

It’s not just about security. Done right, this approach lets employees work efficiently without taking dangerous shortcuts. 

Turning Policy Into Practice 

Policies are only as strong as the enforcement behind them. In too many organizations, device policies live in a PDF no one reads after orientation. To make them work, you need both technical and human solutions. 

On the technical side, endpoint detection and response (EDR) tools can help monitor which devices are connecting to your systems. They can flag or block unauthorized hardware, and they give IT teams visibility into activity that would otherwise go unnoticed. That’s critical for remote workers who aren’t on the corporate network every day. 

On the human side, training matters. If employees don’t understand why certain devices are off-limits or how approved tools protect them, they’ll see security rules as obstacles. Keep the conversation practical and show them real examples of how a lost or stolen device could affect the business. 

Best Practices for Managing Portable Storage 

You need to help your employees reduce shadow IT risks, but aren’t sure where to start? Here are five proven starting points: 

1. Mandate encryption for all removable media. Ninety-six percent of organizations now have an encryption policy for removable media, but consistent use is the challenge. Make encryption automatic by issuing pre-encrypted hardware devices. 

1. Lock down USB ports for only pre-approved devices. Configure endpoints so they only accept devices you’ve issued and approved. This is one of the fastest ways to stop personal devices from sneaking in under the radar. 

1. Clarify what’s allowed (and what’s not). Employees are more likely to comply when they have clear, specific guidance. “No personal USBs” is fine, but pair it with “Use this approved device instead” to give them a safe alternative. 

1. Use EDR to keep an eye on endpoints. Monitoring tools can spot unusual activity and alert your IT team before a small policy violation becomes a major incident. 

1. Refresh training regularly. Policies fade from memory if they’re only covered once. Include portable storage risks and secure handling in your regular security awareness training programs. 

The Encryption and Balancing Security with Usability 

Encryption plays a critical role in securing portable storage. It’s encouraging to see that over half of organizations now encrypt USB sticks and portable hard drives, but that still leaves a lot of unprotected devices in circulation. 

Some companies focus encryption on laptops and desktops and overlook smaller devices. That’s risky. A USB stick is far more likely to be lost or stolen than a laptop, and if it’s carrying unencrypted sensitive data, you’ve got a potential breach. In fact, nearly one in four organizations say a lack of encryption was the main reason for a data breach. 

The most successful device policies balance strong security with practical usability. If you make it too hard for people to get their work done, they’ll find ways around your controls. Give them tools that are both secure and easy to use, and you’ll see compliance improve naturally. 

Think about it from their perspective. If you hand someone a pre-encrypted USB drive that works just like the one they’d buy at the store—but without the security risks—you remove the temptation to go rogue. 

A Culture Shift, Not Just a Rule 

Solving the shadow IT problem isn’t just about technology. It’s about creating a culture where security is part of how work gets done, not an afterthought. That takes consistent leadership, clear communication, and tools that make it easy to be secure. 

The truth is, you can’t eliminate shadow IT entirely. But you can reduce it to a manageable level, protect your sensitive data, and make life easier for your IT team. Strong device policies are a big part of that equation. 

Policies mean little without execution. If you equip your people with secure devices and security awareness training, then enforce the rules, you can close the gap between policy and practice. This approach leaves little opportunity for human risk, which is the real threat in today’s world.