When Portability Becomes Liability – Crimes of Opportunity and Data Loss
Imagine for a moment that you have a briefcase containing hundreds of thousands of dollars in cash belonging to your organization. How would you treat this briefcase? Would you leave it unattended in an unlocked area for significant periods of time? Maybe on the front seat of your vehicle while you went shopping, or perhaps on the table at the cafeteria while you go for a drink refill? Sounds absurd, right? Unfortunately, this is exactly what people continue to do every day with their organization’s critical data and information, whether it’s stored on mobile electronic devices or other portable media.
Data loss, plus subsequent branding and reputational damage and other intangible issues resulting from such incidents continues to be a huge issue across all industries, and a majority of these issues involve simple crimes of opportunity. A recent survey by ASIS International put laptop theft as the third most prevalent type of corporate security incident occurring on company property – just behind employee theft and external theft and vandalism. In this survey, laptop thefts were at more than twice the rate of data-related incidents and five times that of intellectual property theft. Sadly, there is little reason for criminals to use high-tech methods such as hacking and phishing attacks when low-tech solutions such as walking through employee-only areas looking for unattended valuables or breaking car windows seem to suffice.
Speaking of high tech, the Health Information Technology for Economic and Clinical Health (HITECH Act) is an example of confidential information related legislation that was signed into law in 2009 meant to strengthen the already significant security provisions of the 1996 Health Insurance Portability and Accountability Act, or HIPAA. Confidentiality is a huge concern for any organization, but especially so in a healthcare facility. To ensure consistency and compliance with HIPAA, healthcare workers must do their utmost to protect the security and confidentiality of protected health information, or PHI.
Confidential information, whether medical, patient-related, staff-related, business or financial, can only be utilized as permitted by HIPAA guidelines and this includes written, electronic or even verbal information (such as overheard conversations). Violations of these rather stringent guidelines can result in substantial fines and a negative impact upon the business’s brand and status.
Since the misuse of such data could be used for a variety of criminal and other malicious acts, extraordinary precautions must be taken to protect such information, and this is no different for other types of organizations and industries outside of healthcare. Laptops and tablets are magnets for theft since they are so easily disposed of once stolen and have such a high resell value. The most critical issue for organizations, however, is not the value of the device, but the value of the data that it contains (which is often far more precious than the device itself). The HITECH Act is just one of the latest focused regulatory strategies that are meant to make organizations more accountable for the security of their data and to ensure that at least minimal safeguards are being implemented.
Data and information security, especially in the form of portable media and electronic devices such as laptops, shouldn’t require an act of Congress to protect it. There are many simple and effective methods for enhancing the security of such devices and the data they contain while strengthening the overall security culture of your organization.
Do Not Leave Devices Unattended
The phrase “I was only gone a minute” is repeated countless times during crime of opportunity investigations. If the electronic device or data source is not securely cabled or locked inside a desk or cabinet or otherwise in an access-controlled area, do not leave it unattended. The vast majority of laptop thefts do not involve any type of forced entry other than the occasional broken vehicle window. Again, treat it as if it were cash. All storage media that contains confidential information should be secured with adequate and reasonable safeguards including appropriate access control and intrusion alarms, and admittance into such data storage areas should be explicitly restricted to as few personnel as possible.
Never Rely on a Location Being 100 Percent Safe
If you do not have control over all persons that enter an area, do not leave a laptop or electronic device containing sensitive information in that area. Many of us take our portable devices to different locations within an organization for presentations or projects, not thinking that a conference or boardroom may not be as safe as our everyday work environment.
A room may be locked, but unless you are aware of all the persons that have access to it, you should not rely on its security for your data. Remember also that you should not leave your device turned on without adequate password protection while you are away from it to prevent a loss through the copying of confidential data, such as to a thumb drive. Change passwords regularly, but do not rely solely on a screensaver password to protect your system.
Never Leave a Laptop in a Vehicle Where it can be Seen by Passersby
Smash-and-grab crimes (literally the smashing of a window and the grabbing of valuables) are usually prompted because a thief saw something of value inside the vehicle. Never leave anything of value on an open seat or dash of a vehicle, particularly when in an unfamiliar area. Always take a laptop or tablet with you or secure it out of sight if you plan to be away from the vehicle, and never store confidential data in any format (printed reports or CDs/hard drives) where it can easily be observed, and enact policies that significantly restrict the taking of such data off company property.
At Hotels and Conventions/Conferences
If you decide to leave your electronic device in a hotel room, lock it securely to a fixed object or lock it up in the hotel’s safe if one is available. Most conventions and conferences only check IDs at the beginning of the event, and many times persons are allowed access throughout the day without being challenged (especially at lunchtime), so do not leave the laptop in a meeting room without proper security being present.
Report all Incidents Immediately
The moment that you discover that an electronic device or confidential data source is missing or suspect that information may have been compromised, contact the appropriate authorities right away. Depending upon existing countermeasures, your IT security department may be able to remotely wipe or at least encrypt the device and its data so as to make it useless to the person who took it. The device can be easily replaced, but the data that is on it often cannot.
All such electronic devices should have their asset control and/or serial numbers recorded in the event of such a loss, and this should be relayed to the proper personnel as part of your incident report. The speed with which such losses are reported can often make a huge difference in the overall impact of such a theft.
If your organization suffers from such incidents, you might consider creating a laptop or portable electronic device theft taskforce, a multidisciplinary group to include security, IT, risk management and any other stakeholders that might offer insights and identify any opportunities for improvement. Education of all staff at an organization is also a big influence in the success of any type of data loss reduction program. Security (and this includes data security) is everyone’s responsibility, and by equipping all workers with some basic knowledge and precautions when dealing with sensitive information, organizations can better manage these types of issues through an integrated enterprise risk management approach.
This article was originally published in the magazine as "When Portability Becomes Liability – Crimes of Opportunity and Data Loss ."