In late September I published my research paper titled Follow the Data: Dissecting Data Breaches and Debunking the Myths that delved deep into the causes behind data breaches. The goal of the paper was to provide a thorough analysis of data breaches so businesses and organizations could better understand the problem and learn how to defend against them.
Since then I have received a lot of feedback about the paper. More than one person has asked me: Why are so many data breaches caused by device loss or physical record theft? This is a very important question. Physical loss of data (both in electronic and non-electronic forms) accounts for more than half of all incidents that we observed.
Figure 1. Reasons behind data loss incidents
Physical loss of data can take a variety of forms. Devices (e.g. desktop PCs, laptops, tablets, smartphones) or storage media (e.g. portable hard drives, USB thumb drives, optical media) might be misplaced, lost by unwitting employees, or stolen by thieves. Short of handcuffing these items to the employees, preventing this kind of threat is extremely difficult.
There is no one industry that was hardest hit by loss or theft: it was observed happening in all industries that we studied in the paper. Majority of these losses can be attributed to either acts of negligence or crimes of convenience: a street criminal steals a laptop with no awareness of what is on it. Even if the items stolen have a small resale value (such as hard drives and thumb drives), they are still targets of opportunity for petty thieves. High-level executives may face targeted thefts of their devices, but by volume those attacks are dwarfed by breaches from everyday loss or theft.
Physical loss is a sizable chunk of the data loss problem. Online data breaches may be more damaging and grabs headlines, but physical losses are more frequent. So how can an organization cope with this problem?
Some attempts to reduce physical losses wouldn’t hurt. Besides reminders to employees to take care of their devices, technology can also help. Wireless tags (powered by Bluetooth or NFC technology) are available that can help users keep track of multiple devices that they usually have around them at any given time. These would alert the user if the tag gets too far away from a master device, usually a smartphone running an app which monitors the proximity of the tag.
If a device is lost, then steps should be taken to ensure that device loss does not become data loss. Fortunately security best practices can help. Devices that are properly configured with strong authentication (such as passwords or biometrics) will prevent thieves from accessing the stored data if the device has been stolen. Similarly disk encryption will also prevent sensitive data access by the attacker.
Data that is not deleted securely may still pose risks, so it is important that secure data deletion is implemented whenever applicable. Such instances can be when the device is returned to the IT department, when the device is taken out of commission, or even whenever the user of the device sees it fit (thus it is recommended that secure data deletion be offered as an option to users within the network).
Mobile-connected devices should have location services and remote management enabled, so that their location can be tracked and if required the device can be remotely wiped. Procedures should also be in place so IT departments can change authentication credentials and encryption keys if needed.
Device loss is a significant part of the entire data breach problem, but with the right steps and the relevant best practices it can be managed. For a complete and automated adherence to these steps and practices that is not only versatile but also designed to deliver the best multi-layer security we can provide, there is our Complete User Protection Solution suite. Protect not only against data loss and data breaches but also against the worst the shadowy side of the Internet can throw at you and your business.
More analysis and details about data breaches can be found in our Follow the Data: Dissecting Data Breaches and Debunking the Myths page.
Updated November 18, 2015 6:00 PM PST: Text updated to add recommendations on secure data deletion.