"We're missing a laptop!" These words are not something you want to hear, but the chances are, it's going to happen at some point. Unfortunately, data on the majority of SMB laptops is not encrypted, so what exactly does it mean for your company if this happens?
It means that if the bad guys pull the hard drive from the missing laptop and plug it into a running system, then chances are they can access to your data. A simple user ID and password are not going to be adequate protection.
Are the thieves going to bother even looking at the stolen laptop? Many years ago, the hardware itself would fetch a decent amount on auction sites as "previously owned." With the professionalization of cyber crime, oftentimes, the data from a professional firm is worth more than the hardware itself.
Cyber criminals are very aware of the value of purloined data and a lost laptop can quickly turn into a serious incident. For example, the theft of personal information may lead to an extortion demand or blackmail attempt. Furthermore, a fine from a regulatory or governing body is frequently being applied to organizations that take a cavalier attitude towards laptop security.
In 2013, the Information Commissioner's Office (ICO) in the UK fined Glasgow City Council £150,000 for the loss of two unencrypted laptops, one of which contained personal details on more than 20,000 people.
In 2014, two entities paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Stolen or lost laptops have become one of the most common business security incidents, according to the 2014 Data Breach Investigation Reportby Verizon, and depending on the regulations governing your business, the penalties and costs could be significant. These penalties and costs continue to grow as the individuals' privacy, which was violated, may seek additional restitution.
These major enforcement actions in the US and UK underscore the significant risk to the security of personal or medical information posed by laptop computers and other mobile devices.
Here are five precautions you can take to ensure you limit the damage of a stolen device:
1. Utilize Tools Such as Full Disk Encryption
With the introduction of Windows 8.1 Bitlocker, Microsoft's disk encryption solution is bundled in the operating system (Windows 7 Ultimate had it as well). It takes some work to roll it out to an organization, but since it is included, your organization could find itself in a difficult legal position if a data breach occurs. There are also a plethora of third-party add-on solutions.
2. Physical Security
The traveling or unattended laptop is one of the more risky situations any mobile device can find itself in. In public places or even hotel rooms, the corporate laptop or tablet should be, at best, secured in a safe and, at worst, stored out of site. In the office, a security tether should be used, especially if overall access control to the facility is weak or the organization is large.
3. Data Segmentation
If storing all your data on a USB stick seems like a solution, think again. Your laptop may have an email client installed on it, and if those sensitive documents or information has been attached, the bad guys may get at those files. If you only utilize web mail and your documents are on an encrypted USB stick, this may be a useful technique to survive a lost or stolen device.
4. Disposal
It may sound like something out of Mission Impossible, but the physical destruction of a device that falls into the wrong hands is best, but drive wipe with secure erase software should be your minimum. Always keep in mind that the data lives on the hard drive inside the device. If you plan on backing up user files or archiving the contents of the old device, first make sure that it's secure as well.
5. Avoid Logos
Advertising whom you work for may not be the best idea if you are in a high-risk situation, like the world's largest hacker convention. Not the best time to bust out your NSA stickered Panasonic Toughbook.
Conclusion
Ultimately, you need to remember that the security of your mobile device(s) is your responsibility. Folks' stolen property is returned by strangers, or found using technology, all the time. Unfortunately, if it's out of your control, the contents may be copied or malware may have been implanted — be careful.