I was tasked with a project for encrypting
all portable media for this reason.It was shelved as too expensive.
It seems this is a common problem for IT sec projects. That and the “it’ll never happen” determination.
One friend working for a gov’t contractor, when s/he reported that there were trojans on a network was told it wasn’t worth the effort to get rid of them because “they’ll just be back again tomorrow.”