by David Levine
The physical security of devices and documents is a crucial piece of your company’s data protection plan. In fact, one of the largest data breaches in history owes to poor physical security: 26 million private records for U.S. veterans, stored in an unencrypted database on an external hard drive, were stolen in a burglary of an analyst’s home.1
Unfortunately, it’s all too easy for employees to think of data security as something that doesn’t involve them — as if it’s an IT issue, a matter of networks and code, purely digital.
I see examples of this all the time, both in and outside of the workplace. Every day, mobile devices or laptops are left in a car or on a desk in the office, unlocked, data readily available to anybody walking by. Oftentimes, these devices end up stolen. And when that happens, getting the device back is the least of your worries—the data is typically much more valuable. At that point, all you can do is hope that the thief was after the device and not the data.
In this post, I’ll analyse some of the biggest threats to critical physical assets and discuss best practices for keeping them safe.
In October 2014, the state of California reported that physical theft and loss made up 26 percent of all reported data breaches.2
Although hacking and malware are responsible for the bulk of data breaches, simply walking off with a laptop, flash drive or stack of documents — or absentmindedly leaving them somewhere — remains one of the easiest ways for sensitive data to end up in the wrong hands.
And because it’s so easy, we may see more and more physical breaches in the future. According to a report by Verizon, the number of physical security breaches doubled from 2012 to 2013.3
Tablets and smartphones are convenient not only for employees but for thieves as well. In a recent Forrester Consulting survey, 60% of organisations reported loss or theft of a smartphone over the past 12 months, while 43% reported the loss of a tablet.4
And while you might think that, in a mobile world where workers carry devices — and, therefore, sensitive information — with them everywhere they go, those devices would be most vulnerable in airports and other locations away from the office. However, in fact, the locations from which devices are most often stolen or go missing is the employee’s own work area or personal vehicles.5
Employees are correct to be on guard about security when traveling, but it’s clear that they must maintain their vigilance at the workplace as well.
Perhaps even more unsettling than the potential for a device to go missing, is the potential for devices to be tampered with — without the employee knowing. If a device is left unattended and in their absence, someone can install malware, use the device to access the IT environment, steal information, or establish a portal that will allow access at a later time. It’ s not uncommon that American business travelers in certain foreign countries later discover their laptops have been compromised with spyware — despite having left them in their locked hotel rooms.
In a digital world, paper documents may seem to have diminished significance and/or value. But hard copies need to be protected and accounted for just as carefully as their digital counterparts.
The VA offers a sobering example. Not only did they suffer the major breach mentioned earlier, but by their estimate, between 96% and 98% of their data security incidents can be traced to improperly protected paper documents.6
And while malicious intent can’t be denied in some cases, a majority of cases may result from simple carelessness on the part of employees. Innocent mistakes such as sending a letter with sensitive data to the incorrect recipient and inadvertently leaving documents in a restroom can have grave consequences. A loss or leak of sensitive information is just as catastrophic whether it’s accidental or intentional. So in addition to the awareness employees need to have about the dangers of email phishing attempts and other digital vulnerabilities, there needs to be an insistence on protecting hard copies of critical files.
Defending your realm: Best practices for physical security
The first line of defense is your employees themselves, but IT and management also have roles to play in physical security.
- When away from the office, keep portable work-related devices on their person whenever possible. It may be tempting to ask a fellow coffee shop customer or conference attendee to “watch their stuff” while they go to the bathroom or take a call outside, but this is not giving security its due. If a document or device has company info on it, it should never be out of sight.
- When at the office, secure the desk environment. Portable devices and hard drives not in use should be in locked cabinet drawers, and laptops should be anchored to desks or behind locked doors. (It sounds extreme, but remember the statistic: Almost half of all stolen devices are taken from personal work areas.)
- Require employees to activate password/pin protection for their devices as part of your BYOD policy.
- Guarantee remote wiping capabilities so that, should you confirm that an employee’s device is lost or stolen, you can erase its data and protect the company from leaks and criminal access to the enterprise network. This is another must-have in your BYOD policy.
- HDD encryption. This is an approach to protecting laptops which renders the data stored on the device as unreadable. Without the encryption keys or proper passwords, the data cannot be retrieved. There are a variety of types and levels of encryption offering varying degrees of protection.
- Seek out enterprise equipment that has safeguards for securing paper documents. These may include print devices that restrict access to certain users via integrated circuit (IC) cards or which curb unsanctioned duplication by automatically superimposing warning messages on copies made without authorization. Ideally, documents will be secure at every stage — from creation to processing, management, storage and disposal — and a partner in managed document services can assist in providing the equipment, software and best practices.
Even in a digital age, information will always be stored in one physical form or another. So physical security measures have to be taken seriously. In my experience, employee training and behavior are the greatest protections your enterprise can pursue — and this holds true for digital protections as well. Find out more in “New Workstyles Demand New Security Awareness.”
- “Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans,” Department of Veterans Affairs Office of Inspector General, July 11, 2006.
- Kamala D. Harris, “California Data Breach Report,” California Department of Justice Office of the Attorney General, October 2014.
- “2014 Data Breach Investigations Report,” Verizon, June 2014.
- Harris, “Cybersecurity in the Golden State,” 2014.
- Ibid. 3, p. 27.
- Richard W. Walker, “Most VA Privacy Breaches Trace To Paper, Not PCs,” InformationWeek, August 14, 2013.