Dissecting Data Breaches: Guard Your Devices Well

In late September I published my research paper titled Follow the Data: Dissecting Data Breaches and Debunking the Myths that delved deep into the causes behind data breaches. The goal of the paper was to provide a thorough analysis of data breaches so businesses and organizations could better understand the problem and learn how to defend against them.

Since then I have received a lot of feedback about the paper. More than one person has asked me: Why are so many data breaches caused by device loss or physical record theft? This is a very important question. Physical loss of data (both in electronic and non-electronic forms) accounts for more than half of all incidents that we observed.

Figure 1. Reasons behind data loss incidents

Physical loss of data can take a variety of forms. Devices (e.g. desktop PCs, laptops, tablets, smartphones) or storage media (e.g. portable hard drives, USB thumb drives, optical media) might be misplaced, lost by unwitting employees, or stolen by thieves. Short of handcuffing these items to the employees, preventing this kind of threat is extremely difficult.

There is no one industry that was hardest hit by loss or theft: it was observed happening in all industries that we studied in the paper. Majority of these losses can be attributed to either acts of negligence or crimes of convenience: a street criminal steals a laptop with no awareness of what is on it. Even if the items stolen have a small resale value (such as hard drives and thumb drives), they are still targets of opportunity for petty thieves. High-level executives may face targeted thefts of their devices, but by volume those attacks are dwarfed by breaches from everyday loss or theft.

Physical loss is a sizable chunk of the data loss problem. Online data breaches may be more damaging and grabs headlines, but physical losses are more frequent. So how can an organization cope with this problem?

Some attempts to reduce physical losses wouldn’t hurt. Besides reminders to employees to take care of their devices, technology can also help. Wireless tags (powered by Bluetooth or NFC technology) are available that can help users keep track of multiple devices that they usually have around them at any given time. These would alert the user if the tag gets too far away from a master device, usually a smartphone running an app which monitors the proximity of the tag.

If a device is lost, then steps should be taken to ensure that device loss does not become data loss. Fortunately security best practices can help. Devices that are properly configured with strong authentication (such as passwords or biometrics) will prevent thieves from accessing the stored data if the device has been stolen. Similarly disk encryption will also prevent sensitive data access by the attacker.

Mobile-connected devices should have location services and remote management enabled, so that their location can be tracked and if required the device can be remotely wiped. Procedures should also be in place so IT departments can change authentication credentials and encryption keys if needed.

Device loss is a significant part of the entire data breach problem, but with the right steps it can be managed. More analysis and details about data breaches can be found in our Follow the Data: Dissecting Data Breaches and Debunking the Myths page.