USB data theft prevention for Indian companies: a Pune pharma IT manager’s 9-hour Monday
A working story about USB data theft prevention for Indian companies. One Pune pharma IT head, an 08:55 AM EDR alert, and 9 hours of conversations that decided the rest of the quarter.
One Monday morning at a 220-person Pune pharma firm, an EDR alert flagged an unrecognised USB drive plugged into an accounts laptop. The drive had been picked up at a vendor stall the previous week.
Inside 9 hours the IT manager moved from “we have antivirus” to a signed PO for centralised USB device control. The conversations in between are what most Indian SMBs never write down.
Under the DPDP Act, a single unmonitored USB port that touches Aadhaar pointers or formulation data is a controllable risk the regulator expects you to have closed. The maximum penalty is Rs 250 crore.
Free USB exposure audit at the end. 60 minutes. No card. No contract.
08:55 AM · Hinjewadi, PuneThe alert that arrived before her second chai
Meera heads IT for a Pune pharma firm. 220 employees, 260 endpoints, an active USFDA inspection window the leadership avoids discussing at lunch. The Bitdefender console pinged three times from the same workstation. All three alerts carried the same tag.
“Unknown USB Mass Storage Device. HID composite. Persistence attempt blocked.”
The workstation belonged to Saurabh in accounts payable. The previous Friday Saurabh had attended a logistics-vendor expo near the airport. Meera remembered approving the half-day and, dimly, his mention of a “free pen drive” from a packaging-supplier stall.
The chai went cold. Meera opened the activity log. USB inserted 08:51:00, autorun blocked 08:51:04, two manual mount attempts before the port locked. The persistence attempt was HID emulation. In plain English, the drive was pretending to be a keyboard. That is not the kind of pen drive a vendor gives out. That is a tool.
She picked up her notebook. First line was a question: “How many USBs have we plugged in this month that we did not catch?” Second was a number. The IBM Cost of a Data Breach Report 2024 puts the average Indian breach at Rs 19.5 crore. Third was the name of one vendor she had bookmarked six months ago and never called back.
10:15 AM · Office cafeteria, ground floorThe friend who said the obvious thing first
Anjali heads HR. She was already at the corner table with her second filter coffee when Meera sat down. They had joined the firm in the same month four years ago.
“You look like the auditor sent you an email. Did the auditor send you an email?”
“Worse. Saurabh plugged a free USB from an expo into his work laptop. The EDR caught it. But the question I cannot answer is how many of those drives are in this building right now. We have 260 endpoints. We have logged 17 unknown-USB events in the last 90 days. I cannot tell you, today, what was on any of those 17 drives.”
“Then the problem is not the USB. The problem is that you do not have a list.”
Meera looked at her notebook. Anjali had compressed the entire morning into one sentence. She did not have a list. She had a console that caught attacks one at a time, and a junior team that had been clearing those alerts as “user education needed” for months. Nobody had been asking what the cumulative picture looked like.
“You know what Raghav will ask you at 11:30. He will ask why we are spending three lakh a year on security and you still cannot tell him whether someone has walked out with a formulation file. He will not be unkind about it. But that will be the question. So walk in with the answer ready.”
That was it. Meera had been planning to walk in with a problem. I have seen this exact moment with maybe 30 IT heads over the years. The second when the friend across the table compresses the morning into one sentence. She would have to walk in with a number, a plan, and a price.
11:30 AM · CFO Raghav’s office, third floorThe conversation that paid for the rest of the day
Raghav had the printout of last quarter’s IT spend on the desk in front of him. He pushed it slightly to the side when Meera walked in. That was the polite version of “convince me.”
“I want 18 minutes. The EDR caught a HID-emulation USB at 08:51 this morning on an accounts laptop. It was blocked. But the same logs show 17 unknown-USB events in the last 90 days that we cleared as routine. We do not know what was on any of those drives. If even one of them was an exfil tool that ran while a user had a formulation spreadsheet open, the data is already gone.”
“Last quarter you said the EDR was sufficient.”
“It was sufficient for malware on the endpoint. The question now is whether we can prove that no removable media has carried regulated data out of this firm. Right now I cannot prove that. The EDR sees individual USB events. It does not enforce a policy that says only these specific drives, owned by these specific people, may be used, and every file written to them is logged. That is USB device control. It is a separate module.”
“Cost.”
“Approximately Rs 380 per endpoint per year on top of the current EDR. 260 endpoints. About one lakh a year on a two-year term, before negotiation. Plus a one-time deployment of around 90,000 if we run it ourselves, or about half that if a partner runs the rollout.”
“And the alternative?”
“The alternative is that the next time an auditor asks ‘show me the USB log for endpoint X on date Y,’ I say ‘we did not log it.’ Under DPDP Act Section 8, that is not a defensible answer. The maximum penalty under Section 33 is Rs 250 crore. The likely penalty bracket for a small pharma is Rs 50 lakh to Rs 5 crore. Either bracket is more than four years of the proposed USB control spend.”
Raghav did the thing he does when he has decided but is not ready to say so. He looked at the page in front of him for ten seconds longer than necessary. Then he tapped the corner of the table once.
“Send me a one-page note by 5 PM. Cost, deployment timeline, and exactly what evidence the new console can produce that the current one cannot. If the note is honest I will sign the PO this evening.”
Meera did three things her predecessor never did. She named the gap (17 unaccounted USB events, not zero). She framed the spend as evidence production, not as another tool. She used citable numbers like the IBM 2024 breach average and the DPDP Section 33 cap instead of vague threats. Indian CFOs sign for evidence. They argue against fear. Free USB exposure audit at the end of this post.
14:20 PM · Meera’s desk, second floorThe vendor call that narrowed the scope
Karthik from Sirius Star called back 25 minutes after Meera sent the enquiry. He did not open with a pitch. He opened with the log file Meera had attached.
“Your 08:51 alert. The HID composite signature is consistent with a Rubber Ducky variant. Cheap, sold openly. Anyone could have left that drive on the expo floor. The good news is your EDR blocked persistence. The bad news is that the 17 other events you flagged are exactly the population a USB device control policy is meant to make visible. Let me walk you through the three controls that close this, and the one you should not buy yet.”
Three controls. Whitelisted device IDs, so only drives explicitly enrolled by IT can read or write. File-level logging of every byte written to any approved drive. Read-only enforcement on a defined ring of sensitive folders, which Meera had been meaning to define for two quarters.
“The one to not buy yet is full DLP. Secure Data Guard wraps USB control with email DLP and cloud-upload prevention. For 220 people that is the right two-year picture. For your USFDA window in eight weeks, USB device control alone, deployed in 12 working days, is the priority. Boiling the ocean before an auditor lands is how Indian SMBs miss deadlines.”
“Chalo. Deployment risk?”
“Lowest on endpoints already running Bitdefender. The module activates inside the existing console. Offline endpoints get the policy the moment they come online. Per CERT-In’s removable-media advisories, USB-borne incidents have risen for three consecutive quarters in Indian critical sectors, pharma included. Clean logs are now the floor the regulator expects.”
Meera wrote one line at the top of her notes in capital letters. USB IS A CONTROLLABLE RISK. UNLOGGED USB IS A NEGLIGENCE FINDING.
“Quote in your inbox in 6 working hours. 260 seats, two-year term, deployment plan against your USFDA window, one PO. Your existing Bitdefender renewal is in February. We can co-terminate so both lines fall on one invoice next year.”
She hung up. The relief in her shoulders was not because Karthik had sold her something. It was because someone had finally narrowed the problem to a size she could carry into Raghav’s office.
18:10 PM · Meera’s desk, lights coming on outsideThe signed PO and the cold chai
The one-page note went into Raghav’s inbox at 5:42 PM. Cost line, deployment timeline against the USFDA window, the three controls in plain English, and the one sentence that mattered most: “This produces an evidentiary log for every removable-media event on every endpoint, retained for two years.”
The signed PO came back at 6:03 PM with one sentence at the bottom of his email.
“Good. Send me the first weekly USB summary the Monday after deployment closes.”
Meera leaned back. Outside, Hinjewadi was lit up the way it gets after 6 PM, when the office buses start lining up. She still did not know what had been on the 17 unknown drives from the last 90 days. She could not retro-engineer that. But from Monday in two weeks she would have a clean log going forward, a published acceptable-use policy that HR had agreed to circulate, and an evidence trail her USFDA inspector could read without translation.
She picked up the cup. The chai had, of course, gone cold three hours ago. She drank it anyway.
What this story teaches, mapped to your week
- Catch-rate alone is not a control. Your EDR blocking one USB at a time is detection, not policy enforcement. If you cannot answer “how many unknown drives have touched our endpoints this quarter,” you do not have USB control. You have USB hope.
- Frame USB device control as evidence, not as a tool. The CFO does not buy security modules. The CFO buys the ability to answer an auditor’s question. Walk into the budget meeting with the question already written down.
- Use citable numbers. Rs 250 crore is the DPDP Section 33 ceiling. Rs 19.5 crore is the IBM 2024 India breach average. CERT-In has flagged removable-media incidents as rising for three consecutive quarters. These are auditable citations. Vendor scare tactics are not.
- Narrow the deployment to the deadline. A vendor who tries to sell you full DLP, mobile management, and email security in the same week as your audit is a vendor who has not understood your week. The Indian buyer’s best filter is asking the vendor what to deprioritise.
- Log every byte. Whitelist every drive. Read-only the sensitive ring. These three controls, together, are what an Indian DPDP or USFDA auditor reads as a defensible posture. Anything less is jugaad.
USB data theft prevention for Indian companies: the four-question checklist
Before your next standup, answer these four in writing. If you cannot answer any one of them with a number or a date, that is your gap.
- How many unknown-USB events were logged on your endpoints in the last 90 days, and what was on each drive? If “we do not know” is the honest answer, the rest of this list is your remediation plan.
- Which folders on which endpoints contain regulated data? Aadhaar pointers, PAN files, formulation spreadsheets, KYC sheets, salary registers. List them by share path. That is the ring you will set to read-only on USB write.
- Who in your firm is authorised to use removable media, and is that list current? The honest answer for most Indian SMBs is “everyone.” Defining it is a one-afternoon HR conversation.
- What does your existing endpoint console produce as an evidentiary log? Print a one-week sample. If it does not show device serial, user, file name, size, and timestamp for every removable-media event, your console is incident-grade, not audit-grade.
For the longer compliance picture, pair this with our DPDP readiness checklist for HR and IT teams and our DPDP compliance guide for Indian MSMEs. Meera’s morning is the version of the story most Indian IT managers will live through once. Writing it down is how the second one takes 9 minutes instead of 27.
Questions Meera wishes she had asked sooner
Q. What exactly is “USB device control” and how is it different from antivirus?
Antivirus scans files for known malware signatures. USB device control enforces a policy at the port level. It can whitelist specific drives by serial, force read-only on sensitive folders, log every byte transferred, and block unknown devices entirely. For DPDP and sector regulators like USFDA in pharma, the audit evidence comes from the device control log, not from the antivirus.
Q. We are a 60-person Indian SMB. Do we really need USB device control?
If any endpoint in your firm touches Aadhaar pointers, PAN, customer KYC, financial records, or any sector-regulated data, then yes. The DPDP Act does not exempt small firms from the “reasonable security safeguards” requirement under Section 8. A 60-person firm with no removable-media policy is a 60-person firm that cannot prove control if asked.
Q. How long does deployment take across a 200 to 300 endpoint estate in India?
10 to 14 working days for the standard rollout, assuming a working VPN or MDM channel to push the agent. Endpoints offline during the window can still be remediated when they come online. Documenting which ones did not connect is itself audit-grade evidence.
Q. Will USB device control block legitimate work, like a designer using an external SSD?
Not if the policy is configured correctly. The whitelist model enrols specific authorised drives by serial number. Designers, engineers, and accounts teams who genuinely need removable media get their drives enrolled. The block-by-default applies only to unenrolled devices, which is the exact population a USB drop attack relies on.
Q. How is Sirius Star different from buying a USB control module directly from the vendor?
Sirius Star is an Authorized Reseller and Channel Partner for Bitdefender and 50+ other brands. For a typical Indian SMB the saving is not on the licence cost. It is on the deployment overhead, the policy design, the HR communication, and the multi-product co-termination so endpoint, email, and removable-media renewals fall on one PO instead of three.
Your USFDA or DPDP auditor will not warn you before the question lands.
If your existing endpoint platform cannot tell you, in 60 seconds, how many removable drives touched your firm last quarter, that is the gap. Reply on WhatsApp with your endpoint count. We will run a free 60-minute USB exposure audit against your current console and tell you exactly which of the three controls Meera deployed are missing on yours. No card. No contract. No sales call.
Get my free USB exposure audit
Or WhatsApp +91 91375 93228 with the words “USB audit”.
Priya here. We ran this exact USB exposure audit for a Hyderabad CRO last week. Their 180-endpoint estate had 22 unknown-USB events in the previous quarter that nobody on the team had been asked to summarise. The Monday after deployment closed, the IT manager sent her CEO one line: “We now log every removable-media event. The number for week one was 4. All four were authorised.”
