Smash-and-Grab Crime Threatens Enterprise Security
Getting your company smartphone or laptop stolen from your car isn't just a hassle; it can have large regulatory ramifications, too. Visibility is the answer.
From San Francisco to Denver to Washington, DC, a "smash-and-grab" car crime wave appears to be striking the nation. In the month of April alone, vehicle break-ins averaged 51 per day just in San Francisco, with mobile phones, laptops, and tablets on the list of most in-demand and easy-to-snatch items.
In light of this, it's important to look at the IT security risks businesses are exposed to as a result of such crimes. The reality is that while mobile devices may be sitting in a parked car, they're likely connected to a corporate network. Add to that the fact that half of IT professionals surveyed reported a data breach resulting from a lost laptop, and the global average cost of a breach is more than $3 million, and it's not a good mix.
Against this backdrop, there's an important facet to the smash-and-grab situation that must be addressed: breach notification laws. Many countries and states have laws requiring notification to authorities and affected parties in the event of a data breach. In California, for instance, the state's S.B. 1386 data breach notification law includes notification requirements for organizations in situations where data might have been exposed.
Now, there's a chance that you do have a "get out of jail free" card, so to speak, if you can demonstrate that the data was encrypted. Unfortunately, without proof of encryption, you have no card to use. This means that it's critical not only to have encryption on the device but to be able to demonstrate that it was switched on in order to mitigate direct losses and to prevent the embarrassment of having to make a public mea culpa for it.
When devices are "dark" or unmanageable and outside the control of IT, they pose a significant threat. When company employees cite "cars and transportation" as the No. 1 location where they've experienced IT theft, the security status of these devices can't be a question mark — especially not when sensitive, possibly regulated data subject to breach notification laws is involved.
To prevent both economic and reputational loss, you need visibility. (Note: Absolute is a vendor of visibility technology, along with a number of other companies.) In fact, you need two types of it: ongoing visibility, which allows you to see that security controls are switched on and take the proper steps to secure sensitive data; and post hoc visibility, which allows you to prove it after a theft like a smash-and-grab when S.B. 1386 comes knocking. Without a clear line-of-sight, though, there is no way to know all resources — data, devices, users, and apps — are secure.
Sadly, security investment strategy can easily miss the mark here when, as former 451 Research analyst Javvad Malik says: "An informal method that is often seen at companies that have lower security maturity is spending just the minimum amount required until the next breach or incident is reported. Conversely, other companies spend freely, though not necessarily wisely, until their budgets have been exhausted."
Case in point: When a security leader approaches the CFO with a request to spend money on device safeguards because the organization recently experienced a stolen laptop, she or he will probably get budget approval. Down the line, in the likely event that the stolen laptop scenario repeats itself, if that security leader can't show that encryption was switched on, then the organization missed half of the value of the amount it spent. The technology may or may not have protected the company's data, but it certainly didn't protect the security leader's backside because the company doesn't have the visibility to know one way or the other.
It's important to understand your environment, know what hardware you have, and then go beyond the devices themselves to include intelligence around the applications or software on them, looking at what applications are being used by an individual. All of this insight helps you assess risk. At the end of the day, it's about properly protecting your organization's data, deriving value from all of your security budget, and breathing a bit easier despite the frequency of device losses and theft.
Related Content:
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024