Remember: Breaches aren't only digital
by David Levine
The physical security of devices and documents is a crucial piece of your company’s data protection plan.
In fact, one of the largest data breaches in history owes to poor physical security: 26 million private records for U.S. veterans, stored in an unencrypted database on an external hard drive, were stolen in a burglary of an analyst’s home. Unfortunately, it’s all too easy for employees to think of data security as something that doesn’t involve them — as if it’s an IT issue, a matter of networks and code, purely digital.
Every day, mobile devices or laptops are left in a car or on a desk in the office, unlocked, with the data readily available to anybody walking by. Oftentimes, these devices end up stolen. And when that happens, getting the device back is the least of your worries — the data is typically much more valuable. At that point, all you can do is hope that the thief was after the device and not the data.
The size of the threat
In October 2014, the state of California[1] reported that physical theft and loss made up 26 percent of all reported data breaches. Although hacking and malware are responsible for the bulk of data breaches, simply walking off with a laptop, flash drive or stack of documents — or absentmindedly leaving them somewhere — remains one of the easiest ways for sensitive data to end up in the wrong hands.
If a device is left unattended, someone can install malware, use the device to access the IT environment, steal information, or establish a portal that will allow access at a later time, all during the owner’s absence.
Device vulnerability
Perhaps even more unsettling than the potential for a device to go missing is the potential for devices to be tampered with, without the employee knowing. If a device is left unattended, someone can install malware, use the device to access the IT environment, steal information, or establish a portal that will allow access at a later time, all during the owner’s absence. It’s not uncommon for American business travelers in foreign countries to later discover their laptops have been compromised with spyware — despite having left them in their locked hotel rooms.
Document vulnerability
In a digital world, paper documents may seem to have diminished significance and/or value. But hard copies need to be protected and accounted for just as carefully as their digital counterparts.
The VA offers a sobering example. Not only did they suffer the major breach mentioned earlier, but by their estimate, between 96 and 98 percent of their data security incidents can be traced to improperly protected paper documents.[2]
And while malicious intent can’t be denied in some cases, a majority of cases may result from simple carelessness on the part of employees. Innocent mistakes, such as sending a letter with sensitive data to the incorrect recipient, or inadvertently leaving documents in a restroom, can have grave consequences. A loss or leak of sensitive information is just as catastrophic whether it’s accidental or intentional. So in addition to the awareness employees need to have about these dangers, email phishing attempts and other digital vulnerabilities, there needs to be an insistence on protecting hard copies of critical files.
Best practices for physical security
The first line of defense is your employees themselves, but IT and management also have roles to play in physical security.
Employee responsibilities:
When away from the office, keep portable work-related devices on their person whenever possible. It may be tempting to ask a fellow coffee shop customer or conference attendee to “watch their stuff” while they go to the bathroom or take a call outside, but this is not giving security its due. If a document or device has company info on it, it should never be out of sight.
When at the office, secure the desk environment. Portable devices and hard drives not in use should be in locked cabinet drawers, and laptops should be anchored to desks or behind locked doors. (It sounds extreme, but remember the statistic: Almost half of all stolen devices are taken from personal work areas.)
IT responsibilities:
Require employees to activate password/pin protection for their devices as part of your BYOD policy.
Guarantee remote wiping capabilities so that, should you confirm that an employee’s device is lost or stolen, you can erase its data and protect the company from leaks and criminal access to the enterprise network. This is another must-have in your BYOD policy.
HDD encryption. This is an approach to protecting laptops which renders the data stored on the device as unreadable. Without the encryption keys or proper passwords, the data cannot be retrieved. There are a variety of types and levels of encryption offering varying degrees of protection.
Management responsibilities:
Seek out enterprise equipment that has safeguards for securing paper documents. These may include print devices that restrict access to certain users via integrated circuit (IC) cards or which curb unsanctioned duplication by automatically superimposing warning messages on copies made without authorization. Ideally, documents will be secure at every stage — from creation to processing, management, storage and disposal — and a partner in managed document services can assist in providing the equipment, software and best practices.
Don't overlook information stored in physical form
Physical security measures have to be taken seriously. Employee training and behavior are the greatest protections your enterprise can pursue.
Learn more about data security
[1] California Department of Justice, "California Data Breach Report." October, 2014. https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data\_breach\_rpt.pdf