Disconnecting the USB and remnoving any and all recording devices such as diskette drives and CD-RW or DVD-RW drives on ALL or most computers is a simple preventive measure. Similarly, the data should be on the network, with no local hard drive whenever possible (diskless work-stations). For mail servers, only IMAP with encryption and no POP should be allowed. By disconnecting / eliminating USB ports, one will have to physically tamper with the machine for the pen drives etc. to work - causing a more visible security breach that can be easily detected.
Most employees (commercial or Government)do not need these capabilities, and such a configuration should be made part of the specs for new equipment. In addition to improving security, this configuration change can reduce the cost of the equipment and the cost of maintenance / management.
One would think that Defence would have already thought through and implemented all such measures after the highly publicized CIA case, if not earlier - instead, they banned pen drives, rather than eliminating the ability of pen drives to work on computers that do not need it..
