Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/8/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Smash-and-Grab Crime Threatens Enterprise Security

Getting your company smartphone or laptop stolen from your car isn't just a hassle; it can have large regulatory ramifications, too. Visibility is the answer.

From San Francisco to Denver to Washington, DC, a "smash-and-grab" car crime wave appears to be striking the nation. In the month of April alone, vehicle break-ins averaged 51 per day just in San Francisco, with mobile phones, laptops, and tablets on the list of most in-demand and easy-to-snatch items.

In light of this, it's important to look at the IT security risks businesses are exposed to as a result of such crimes. The reality is that while mobile devices may be sitting in a parked car, they're likely connected to a corporate network. Add to that the fact that half of IT professionals surveyed reported a data breach resulting from a lost laptop, and the global average cost of a breach is more than $3 million, and it's not a good mix.

Against this backdrop, there's an important facet to the smash-and-grab situation that must be addressed: breach notification laws. Many countries and states have laws requiring notification to authorities and affected parties in the event of a data breach. In California, for instance, the state's S.B. 1386 data breach notification law includes notification requirements for organizations in situations where data might have been exposed.

Now, there's a chance that you do have a "get out of jail free" card, so to speak, if you can demonstrate that the data was encrypted. Unfortunately, without proof of encryption, you have no card to use. This means that it's critical not only to have encryption on the device but to be able to demonstrate that it was switched on in order to mitigate direct losses and to prevent the embarrassment of having to make a public mea culpa for it.

When devices are "dark" or unmanageable and outside the control of IT, they pose a significant threat. When company employees cite "cars and transportation" as the No. 1 location where they've experienced IT theft, the security status of these devices can't be a question mark — especially not when sensitive, possibly regulated data subject to breach notification laws is involved.

To prevent both economic and reputational loss, you need visibility. (Note: Absolute is a vendor of visibility technology, along with a number of other companies.) In fact, you need two types of it: ongoing visibility, which allows you to see that security controls are switched on and take the proper steps to secure sensitive data; and post hoc visibility, which allows you to prove it after a theft like a smash-and-grab when S.B. 1386 comes knocking. Without a clear line-of-sight, though, there is no way to know all resources — data, devices, users, and apps — are secure.

Sadly, security investment strategy can easily miss the mark here when, as former 451 Research analyst Javvad Malik says: "An informal method that is often seen at companies that have lower security maturity is spending just the minimum amount required until the next breach or incident is reported. Conversely, other companies spend freely, though not necessarily wisely, until their budgets have been exhausted."

Case in point: When a security leader approaches the CFO with a request to spend money on device safeguards because the organization recently experienced a stolen laptop, she or he will probably get budget approval. Down the line, in the likely event that the stolen laptop scenario repeats itself, if that security leader can't show that encryption was switched on, then the organization missed half of the value of the amount it spent. The technology may or may not have protected the company's data, but it certainly didn't protect the security leader's backside because the company doesn't have the visibility to know one way or the other.

It's important to understand your environment, know what hardware you have, and then go beyond the devices themselves to include intelligence around the applications or software on them, looking at what applications are being used by an individual. All of this insight helps you assess risk. At the end of the day, it's about properly protecting your organization's data, deriving value from all of your security budget, and breathing a bit easier despite the frequency of device losses and theft.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Nicko van Someren serves as Absolute's Chief Technology Officer, where he oversees the direction and strategic vision of Absolute's product architecture and security road map. He has more than two decades of experience leading, developing, and bringing to market-disruptive ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.