Re: valid use
“And what if using USB drives are an active and valid part of business operations?”
Then there will be clear policies and training in place about what is acceptable and what is not acceptable, and appropriate level of controls.
For example at a site I previously worked at there is a valid business process that requires a weekly transfer of sensitive data.
There is a four eyes policy on the extraction and loading of the data - two people must undertake the task.
The USB ports are software locked - a break glass account is used to complete the task and that account has the role based access to use the USB port. There is an approval process to obtain the break glass credentials and their use is time bound.
The USB stick is encrypted to a high standard,
The USB stick is transported by a third party security provider using tamper evident pouches.
This does not prevent theft of the data, it just makes it extremely difficult without collusion between several people.
Did Morrison’s just let the guy gave access to open USB ports with no auditing of the data, and no policy about removing USB sticks from site? Very possibly, and therefore it did not take reasonable precautions to prevent loss.