Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/8/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Smash-and-Grab Crime Threatens Enterprise Security

Getting your company smartphone or laptop stolen from your car isn't just a hassle; it can have large regulatory ramifications, too. Visibility is the answer.

From San Francisco to Denver to Washington, DC, a "smash-and-grab" car crime wave appears to be striking the nation. In the month of April alone, vehicle break-ins averaged 51 per day just in San Francisco, with mobile phones, laptops, and tablets on the list of most in-demand and easy-to-snatch items.

In light of this, it's important to look at the IT security risks businesses are exposed to as a result of such crimes. The reality is that while mobile devices may be sitting in a parked car, they're likely connected to a corporate network. Add to that the fact that half of IT professionals surveyed reported a data breach resulting from a lost laptop, and the global average cost of a breach is more than $3 million, and it's not a good mix.

Against this backdrop, there's an important facet to the smash-and-grab situation that must be addressed: breach notification laws. Many countries and states have laws requiring notification to authorities and affected parties in the event of a data breach. In California, for instance, the state's S.B. 1386 data breach notification law includes notification requirements for organizations in situations where data might have been exposed.

Now, there's a chance that you do have a "get out of jail free" card, so to speak, if you can demonstrate that the data was encrypted. Unfortunately, without proof of encryption, you have no card to use. This means that it's critical not only to have encryption on the device but to be able to demonstrate that it was switched on in order to mitigate direct losses and to prevent the embarrassment of having to make a public mea culpa for it.

When devices are "dark" or unmanageable and outside the control of IT, they pose a significant threat. When company employees cite "cars and transportation" as the No. 1 location where they've experienced IT theft, the security status of these devices can't be a question mark — especially not when sensitive, possibly regulated data subject to breach notification laws is involved.

To prevent both economic and reputational loss, you need visibility. (Note: Absolute is a vendor of visibility technology, along with a number of other companies.) In fact, you need two types of it: ongoing visibility, which allows you to see that security controls are switched on and take the proper steps to secure sensitive data; and post hoc visibility, which allows you to prove it after a theft like a smash-and-grab when S.B. 1386 comes knocking. Without a clear line-of-sight, though, there is no way to know all resources — data, devices, users, and apps — are secure.

Sadly, security investment strategy can easily miss the mark here when, as former 451 Research analyst Javvad Malik says: "An informal method that is often seen at companies that have lower security maturity is spending just the minimum amount required until the next breach or incident is reported. Conversely, other companies spend freely, though not necessarily wisely, until their budgets have been exhausted."

Case in point: When a security leader approaches the CFO with a request to spend money on device safeguards because the organization recently experienced a stolen laptop, she or he will probably get budget approval. Down the line, in the likely event that the stolen laptop scenario repeats itself, if that security leader can't show that encryption was switched on, then the organization missed half of the value of the amount it spent. The technology may or may not have protected the company's data, but it certainly didn't protect the security leader's backside because the company doesn't have the visibility to know one way or the other.

It's important to understand your environment, know what hardware you have, and then go beyond the devices themselves to include intelligence around the applications or software on them, looking at what applications are being used by an individual. All of this insight helps you assess risk. At the end of the day, it's about properly protecting your organization's data, deriving value from all of your security budget, and breathing a bit easier despite the frequency of device losses and theft.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Nicko van Someren serves as Absolute's Chief Technology Officer, where he oversees the direction and strategic vision of Absolute's product architecture and security road map. He has more than two decades of experience leading, developing, and bringing to market-disruptive ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25821
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-3130
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
CVE-2020-3133
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
CVE-2020-3135
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...
CVE-2020-3137
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...