You may have seen the recent news about a man losing an entire city’s personal data including tax and banking information after a night out, presumably the data loss did not help his headache once he realised what had happened.
This is far from a unique incident though, Freedom of Information (FOI) requests are often made to UK Government bodies with telling results, devices go missing all the time.
(National Archives 1 / National Archives 2)
If devices are being regularly lost and stolen from public sector entities, it is almost certain that the same is happening across the private sector. This is a major concern for several reasons, many organisations do not have a robust data loss prevention strategy meaning that a lost laptop or USB stick could lead to a significant data loss and even fines and reputational damage.
Clearly this is a problem that affects almost any organisation, thankfully there are a number of steps that can be taken to assist in securing devices and data to help ensure that, if physical devices get lost or stolen the data contained therein is kept safe and away from prying eyes.
Disallow USB Storage Devices
An important aspect of limiting risk is simply to remove features that are not necessary for the business, especially if they could pose a risk of data theft.
Removing support for USB storage devices is a simple and effective way to significantly lower the risk of data being lost or stolen.
The increased adoption of cloud-based file sharing also helps to ensure that removable media is less necessary than it was a few years ago meaning the impact to most businesses of removing access to USB sticks would be minimal.
There is an added bonus to preventing the use of USB storage too, ‘USB Drop Attacks’ are an effective social engineering technique whereby an attacker adds a malicious payload to USB sticks and drops them around the target organisation’s location in order to hopefully coerce a legitimate user to plug the device in (perhaps by adding a label like “Salary Info 2022”).
Preventing users from using USB storage devices neatly side-steps this risk (on corporate devices at least) since any malicious USB stick cannot be used.
USB Storage Encryption
Assuming it’s not possible to completely eradicate the use of removable USB storage in your organisation, at the very least it is imperative to ensure that any corporate data is encrypted using a strong encryption algorithm and, just as importantly, a strong password (read more about creating strong passwords).
Microsoft’s Bitlocker provides an easy and effective way of encrypting removable USB media as well as FDE (Full Disk Encryption) on laptops.
One thing to note is that it will take a while for the disk to encrypt, do not remove the device during the process or any data risks being lost permanently; it is generally considered to be a good idea to back-up any data prior to implementing the encryption anyway.
Laptop Full Disk Encryption
Using FDE on all corporate devices is a must, again Bitlocker can be used for this in the same way as above or from Group Policy in a corporate environment.
The relevant GPO configuration can be found here:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Ensuring that all corporate devices are using strong encryption with good credentials could prevent sensitive data from ending up in the wrong hands if a corporate device were to go missing.
Device Hardening
As we have already discussed, ensuring that data is encrypted is absolutely essential but what if a device is powered on and decrypted when it goes missing?
In a situation like this the security of the operating system and the user’s credentials are the last line of defence.
By default, operating systems are rarely configured in their most secure state in order to allow for legacy integrations and to help keep the user experience as smooth as possible; ensuring that all corporate devices are hardened against attack helps to make sure that data is kept secure.
Backups
In addition to the threat of sensitive data being leaked there is an additional problem of simply losing access to any data stored on a lost/stolen device.
Ensuring that regular back-ups are taken or switching to a cloud-based working environment can help to ensure that, even if a device gets lost or stolen, access to any valuable data held on the device is not lost and the business can continue to operate as normal.
User Education
This is likely the most obvious but also often the most overlooked aspect of all, ensuring that staff take good care of corporate devices is key. Human factors play a major role in the vast majority of cyber security compromises and breaches. Providing training to staff members to help ensure that they understand the risks of taking corporate devices or data into a public setting can help to ensure that corporate data is kept safe.