[BreachExchange] Why stolen laptops still cause data breaches, and what's being done to stop them

Wed Feb 24 19:02:41 EST 2016

http://www.pcworld.com/article/3021316/security/why-stolen-laptops-still-cause-data-breaches-and-whats-being-done-to-stop-them.html

Every time a stolen laptop leads to a data breach, you wonder why the
business involved hadn’t set up any safeguards. When the unencrypted laptop
was stolen from a former physician at the University of Oklahoma, for
instance, or when a laptop was stolen from insurance provider Oregon Health
Co-op containing data on 15,000 members.

You’d think money would motivate them, if nothing else. In November, EMC
and Hartford Hospital were ordered to pay US$90,000 to the state of
Connecticut over the theft of an unencrypted laptop in 2012 containing data
on nearly 9,000 people. The laptop was stolen from an EMC employee’s home.

The problem extends far beyond the healthcare industry, too—such as the
laptop stolen from SterlingBackCheck, a New York-based background screening
service. The laptop contained data on 100,000 people.

These types of breaches don’t quite grab the same headlines as major
cybercrimes and hacking incidents, if only because a thousand employees
affected by a laptop theft is less dramatic than 40 million customers at
Target. But it’s a lot easier to steal a laptop than it is to hack into a
corporate database, so the theft and loss of laptops, as well as desktops
and flash drives, highlight the need for enhanced physical security and
employee training.

It's easier to steal a laptop than to hack a database

The organizations mentioned here have wised up. A spokesperson for the
University of Oklahoma said it has launched an encryption program and new
training for employees when it comes to handling sensitive data.

SterlingBackCheck said it has updated its encryption and audit procedures,
revised its equipment custody protocols, retrained employees on privacy and
data security, and installed remote-wipe software on portable devices.

Another threat to your data is the proliferation of Bring You Own Device
(BYOD) policies and mobile workers. Gartner anticipates that half of all
companies will have some need for a BYOD policy by 2017. Workers will be
using their own devices as well as company-issued ones in the office or on
the go. This opens up a new risk if devices are lost or stolen.

Security firms like Sophos urge companies to put a robust policy in place
for the handling of professional devices, including full disk encryption as
well as encrypted cloud and removable media. A strong password is highly
recommended too, but it’s not enough on its own.

A greater sense of urgency wouldn’t hurt, either. In Oklahoma, the
physician had actually left his position at the university before his
personal laptop went missing. He couldn’t say for sure whether it contained
sensitive data, but by the time that possibility arose, it was too late.

In another incident, at manufacturer Tremco, an employee lost a
company-issued laptop on a plane. It was several weeks before the employee
realized that it contained spreadsheets of personal employee data.

Encryption, remote wiping, better data tracking

Companies need to know where their data is at all times—not just what
device it is on, but where that device is located physically.

This highlights the need for remote wiping tools, which SterlingBackCheck
has put in place. If a laptop is lost or stolen, the company should have an
easy way to remotely wipe the sensitive data to ensure it never leaks.

Much like large-scale hacking attacks, it’s the consumer or the patient
that really suffers when a data breach occurs. The onus lies with the
company to handle this data responsibly, whether it’s in the cloud or on a
laptop on the bus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160224/aa224f31/attachment-0001.html>