Go Mobile, Stay Safe: How Organisations Can Mitigate the Impact of Missing Devices
In insight / By Phil Muncaster / 12 November 2018
IT security professionals need to have to 360-degree awareness when it comes to evaluating potential areas of cyber risk. Very often headline-grabbing nation state campaigns or sophisticated digital skimming operations may catch the eye. But they don’t tell the whole story. Lost and stolen devices are also a major source of potential trouble. Just ask Heathrow Airport Limited (HAL), which was recently fined £120,000 by the regulator after losing a USB drive containing highly sensitive information.
With the modern workforce increasingly expecting to be supported in any request for mobile working, security bosses need to perform a fine balancing act: keeping the organisation safe without sacrificing productivity and potentially driving insecure mobile use underground.
The mobile threat
Lost and stolen devices are a bigger challenge than many might think. An FoI request submitted to the BBC recently revealed it has reported over 170 lost (81) or stolen devices (91) over the past two years. These included 80 mobile phones, 82 laptops including MacBooks and high-end HP EliteBooks, eight iPads and even two desktop computers. Considering the Beeb employs around 20,000 people, the figure might seem pretty low. But if steps aren’t taken to mitigate the risk of unauthorised access to data or corporate accounts, even one device lost or stolen could have major repercussions — just as it takes just one misplaced click on a phishing link to open the floodgates to a major data breach.
The HAL story highlights that the challenge extends to smaller USB drives, potentially easier to lose. In this case, the memory stick in question was found on a street in West London and handed to a newspaper. Not only did it contain personal information on HAL employees and security personnel, but also details of security measures used to protect the Queen for an upcoming visit, the location of CCTV cameras and other highly sensitive info.
When one considers the popularity of BYOD in modern organisations, the risk of lost or stolen devices increases further. Despite hitting a 10-year low, ONS figures analysed by insurer Protect Your Bubble last year revealed that nearly half a million Brits had a mobile phone stolen in 2016. Those in their early twenties were said to be twice as likely to fall, victim. Pickpocketing and snatch theft, increasingly carried out at high speed on mopeds, were the favoured method of theft (40%), but over a third (35%) of devices went missing after simply being left unattended.
Even employees that should know better are failing to protect their devices. Nearly 100 laptops and mobiles were lost or stolen by Welsh government employees since 2012. And an FOI request in December 2016 revealed nearly 1,000 government laptops and thumb drives had gone missing since May 2015. Separate figures from this year revealed that nearly 1000 Ministry of Defence laptops had been lost or stolen over the past three years.
The weakest link
The bottom line is that humans make mistakes. And with BYOD and corporate-sanctioned devices either storing large amounts of sensitive data or offering easy access to networks, cloud services, and official apps, there’s an urgent need to lock down risk. The HAL incident has shown us that the risk of not doing so could be major regulatory fines. If it had lost that unencrypted, non-password protected thumb drive in the new GDPR era, there could have been even higher penalties to pay.
All the usual breach impacts apply. If a device goes missing without adequate protection, expect not only regulatory fines but a possible hit to the share price and follow-on legal action, alongside potential customer attrition as a result of the ensuing bad publicity.
Building stronger security
IT security managers have a difficult job. On the one hand, they must ensure each device that is allowed access to corporate networks and data is registered and secured. But on the other they need to do so in a way that doesn’t impede productivity — otherwise, employees will inevitably find a way around corporate policy and go off-grid.
So what’s the answer? It all starts with drawing up a watertight policy governing all mobile devices and removable media. No two organisations are the same, so you’ll have to carefully consider what your risk appetite is and build policy around that. However, a policy is only the first step: now you need a way to enforce it down to every single device.
A study from Apricorn last year revealed that over a third of organisations had suffered a breach as a result of mobile working, with a quarter of organisations claiming to have no way of enforcing their security strategies.
This is where mobile device management platforms can help. You need to be considering:
- Strong data encryption — a rarity in being named in the GDPR, so it really is essential
- Remote wipe capabilities
- Device password protection
- Regular back-ups
- Centralised management
- Regular over-the-air software updates
Alongside cybersecurity training and awareness programmes and cyber-insurance for those devices, you should now have the makings of a decent mobile security strategy. It will also need to be adaptable enough to change over time. If there’s one thing we can be sure of, it’s that the nature of mobile threats will change.