Assume Your Employees Might Lose Your Devices
When an organization-owned device like a laptop, tablet, or smartphone goes missing, a lot of major concerns should arise—and they aren’t limited to the device itself. Mitigate the risk by using a thoughtful security strategy.
Recently, I found myself in possession of a Microsoft Surface. It wasn’t mine. It was just sitting on a chair, unattended and looking lonely.
I was at a train station and spotted the device. It was bad enough that it was lost, but making things more problematic was that I didn’t know whether or not the person who owned it was in the station or had boarded the last train without his or her computing device of choice.
Being a journalist, I tried to put my detective cap on. If I were writing a story about someone, how would I reach out to the person? I had two details: The name of the company was listed on the back of the device, and I was able to acquire the person’s name by simply turning it on and leaving it on the login screen. With that information, I went to the company’s website, called up the number for the main office, and reached the directory. I typed the person’s name in, gave him a call, and let him know that I had his device—as well as how to reach me.
Fortunately, he was still in the station. I handed it over and probably saved that guy a lot of headaches.
But what amused me a little was what happened 10 minutes later. He called me back, utterly confused as to how I figured out how to reach him.
It was a reasonable question: Many people would have simply handed the the device to the lost-and-found. Others might have had cloudier motives. And what would that have meant for both the person and the organization? I see a few potential dangers:
Personal accounts likely to be exposed. If the computer is found when the user is logged in—or without a password screen at all—the odds are good that your personal accounts can be accessed through apps like Google Chrome, especially if no login is required. This is especially serious for individual users, though company accounts might be in danger as well. And don’t assume that just because you have a password on the device that someone won’t be able to figure it out.
Organizational data may be compromised. It’s entirely possible that your employee’s laptop has some sort of relevant data on it related to your organization, in big ways and small—whether that means internal reports, financial data, or personal information about your employees. It’s a privacy minefield.
Your member data could be in trouble, too. Earlier this year, data about more than 200,000 customers of Indiana’s Premier Healthcare was exposed after a laptop was stolen from inside the company’s billing department. “The laptop was password-protected, but not encrypted,” SC Media reported. “Emails stored on the laptop’s hard drive contained screenshots, spreadsheets, and PDF documents pertaining to patient billing issues, insurance companies, and other healthcare providers.” It’s easy to see the parallels to your own member rolls.
And on top of all that, it’s important to note that there’s likely a significant cost tied directly to the device itself.
Stolen Device? Protect the Data
On the plus side, vulnerability to data loss linked to device theft appears to be declining. In 2007 and 2008, the Identity Theft Resource Center pinpointed “Data on the Move”—its way of defining information stolen through the loss of a laptop or storage device in transit—as the most common form of identity theft, with the category representing more than a quarter of all such incidents.
But the most recent version of the survey, released in January, revealed that the category had become the least common form of identity theft, representing less than 8 percent of all incidents and taking a backseat to newer forms of identity theft like hacking. That stat is particularly impressive considering that, since 2007, easy-to-lose smartphones have become incredibly common.
Part of the reason for this may be the fact that the devices themselves have become harder to break into. Mac users, for example, have the capabilities of Find My Mac at their disposal, and the open-source security app Prey, available for PCs and Android devices, has proved particularly effective. ( Check out the recovery stories).
It’s always better to get the device back, of course, but if that doesn’t happen, the best scenario is to make the data unreadable or the device useless—which both Find My Mac or Prey can do. For larger corporate networks, mobile device management—a more deeply organized kind of security—might be a better approach.
Prepare for Danger
The proliferation of devices makes the risk of physical theft an important consideration to keep in mind at your organization, no matter if you have five employees or 1,000.
Last year, one of BuzzFeed’s most popular writers, Matt Stopera, went on a whirlwind tour of China after the Chinese man who unwittingly received his stolen iPhone started taking photos with the device that ended up on Stopera’s iCloud account. Stopera wrote about the unusual situation, which went viral and led to a surprising international border-crossing friendship between the two men, and now the saga is being made into a movie starring The Big Bang Theory’s Jim Parsons.
Most lost or stolen device sagas don’t end like that—and there are plenty that don’t end with the device ending up in a Good Samaritan’s hands. The result is usually much less whimsical and much more painful. Both individual users and their employers have to plan for the off-chance that something might happen.
Expect the best, but prepare for the worst.