If Finance staffers in your company carry company documents on portable USB drives, you may want to consider some policy changes to keep that data safe. 

Those drives are often infected with malware, and many are lost by their owners while containing sensitive, uencrypted information, according to a recent study by security firm Sophos.

Security researchers looked at 50 USB keys that had been lost by commuters at a train station in Sydney, Australia. The drives were purchased from the railway at a public auction.

The devices’ previous owners were lucky they ended up with a security company and not a criminal. Many of the drives contained sensitive personal or work-related information, such as tax documents, software and web source code, and blueprints for projects. None of the drives were encrypted or seemed to contain any encrypted files.

In addition to that data, researchers found viruses — and lots of them. Two-thirds, or 33, of the keys were infected with malware.

Spreading malware through USB drives has become a popular tactic with hackers, as it’s often not caught by antivirus software and can be used to exploit PCs’ auto-run feature. In fact, a study from last year found that 27% of the malware attacks organizations face come from an infected USB drive.

One way companies can avoid security problems when employees use USB keys: Provide people with secured, encrypted drives they can use. Otherwise, they’ll likely load data onto unsecured drives that may be loaded with malware.