Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/8/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Smash-and-Grab Crime Threatens Enterprise Security

Getting your company smartphone or laptop stolen from your car isn't just a hassle; it can have large regulatory ramifications, too. Visibility is the answer.

From San Francisco to Denver to Washington, DC, a "smash-and-grab" car crime wave appears to be striking the nation. In the month of April alone, vehicle break-ins averaged 51 per day just in San Francisco, with mobile phones, laptops, and tablets on the list of most in-demand and easy-to-snatch items.

In light of this, it's important to look at the IT security risks businesses are exposed to as a result of such crimes. The reality is that while mobile devices may be sitting in a parked car, they're likely connected to a corporate network. Add to that the fact that half of IT professionals surveyed reported a data breach resulting from a lost laptop, and the global average cost of a breach is more than $3 million, and it's not a good mix.

Against this backdrop, there's an important facet to the smash-and-grab situation that must be addressed: breach notification laws. Many countries and states have laws requiring notification to authorities and affected parties in the event of a data breach. In California, for instance, the state's S.B. 1386 data breach notification law includes notification requirements for organizations in situations where data might have been exposed.

Now, there's a chance that you do have a "get out of jail free" card, so to speak, if you can demonstrate that the data was encrypted. Unfortunately, without proof of encryption, you have no card to use. This means that it's critical not only to have encryption on the device but to be able to demonstrate that it was switched on in order to mitigate direct losses and to prevent the embarrassment of having to make a public mea culpa for it.

When devices are "dark" or unmanageable and outside the control of IT, they pose a significant threat. When company employees cite "cars and transportation" as the No. 1 location where they've experienced IT theft, the security status of these devices can't be a question mark — especially not when sensitive, possibly regulated data subject to breach notification laws is involved.

To prevent both economic and reputational loss, you need visibility. (Note: Absolute is a vendor of visibility technology, along with a number of other companies.) In fact, you need two types of it: ongoing visibility, which allows you to see that security controls are switched on and take the proper steps to secure sensitive data; and post hoc visibility, which allows you to prove it after a theft like a smash-and-grab when S.B. 1386 comes knocking. Without a clear line-of-sight, though, there is no way to know all resources — data, devices, users, and apps — are secure.

Sadly, security investment strategy can easily miss the mark here when, as former 451 Research analyst Javvad Malik says: "An informal method that is often seen at companies that have lower security maturity is spending just the minimum amount required until the next breach or incident is reported. Conversely, other companies spend freely, though not necessarily wisely, until their budgets have been exhausted."

Case in point: When a security leader approaches the CFO with a request to spend money on device safeguards because the organization recently experienced a stolen laptop, she or he will probably get budget approval. Down the line, in the likely event that the stolen laptop scenario repeats itself, if that security leader can't show that encryption was switched on, then the organization missed half of the value of the amount it spent. The technology may or may not have protected the company's data, but it certainly didn't protect the security leader's backside because the company doesn't have the visibility to know one way or the other.

It's important to understand your environment, know what hardware you have, and then go beyond the devices themselves to include intelligence around the applications or software on them, looking at what applications are being used by an individual. All of this insight helps you assess risk. At the end of the day, it's about properly protecting your organization's data, deriving value from all of your security budget, and breathing a bit easier despite the frequency of device losses and theft.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Nicko van Someren serves as Absolute's Chief Technology Officer, where he oversees the direction and strategic vision of Absolute's product architecture and security road map. He has more than two decades of experience leading, developing, and bringing to market-disruptive ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13640
PUBLISHED: 2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
CVE-2019-5222
PUBLISHED: 2019-07-17
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...