Even simple mistakes can put your business at risk.
When business data breaches hit the front page, they are usually massive and often involve technical hack attacks. But data can also be lost through less spectacular means, ranging from laptops forgotten in taxis and smartphones donated to charities to logins jotted on paper and tossed into the trash.
Risk arises any time mobile devices like smartphones, tablets and laptops leave a business’s control, whether by accidental loss, theft or improper disposal. A poll by Fiberlink, an IBM company that provides mobile device management solutions, found 68 percent of workers did not have devices professionally wiped or securely destroyed when swapping them out.
David Lingenfelter, information security officer for Fiberlink, experienced this when he found personal information, including photos, on a used iPod purchased for his son. Data on discarded business devices could include anything from user names and passwords to proprietary product plans. Although not visible to the naked eye, retrieving the information is easy. “If they haven’t taken the time to wipe their device, somebody’s going to see it,” Lingenfelter warns.
And you can’t just worry about laptops, smartphones and tablets, says Charles Tendell, CEO of Denver-based Azorian Cyber Security. Hard drives inside old desktops, networked printers, multifunction devices and even office copiers may contain sensitive business information that is easily retrievable by savvy snoops.
Simply deleting files doesn’t erase data, Tendell warns. Commercial and free software can eradicate information by low-level formatting hard drives. IT security professionals can also do it. Recyclers, charities, vendors and others who accept used devices should be asked whether they securely erase data before reselling them. “Some do and some don’t,” Tendell says.
If you’ve lost track of a device either accidentally or through recycling, you may still be able to protect yourself. Companies like Lingenfelter’s employer sell mobile device management software that includes the ability to erase data on a mobile device after it has left your control. The software, sold on a subscription basis per device, can selectively erase business data while sparing personal files such as music and pictures, Lingenfelter says.
Standard hard disk encryption can keep misplaced or stolen laptops from serving up sensitive data to the wrong people. “If there is encryption, they are going to be dead in their tracks,” Tendell says. “Encrypting your hard drive is a really strong way to deter that type of data loss.”
Another technique is to install tracking software that alerts you when one of your lost or stolen devices is turned on and connected to the Internet. This can help recover a missing device as well as protect against data loss.
Low-tech leaks from usernames and passwords penciled on paper that is later thrown out can defeat the most technical security measures. Hackers know this well, and so-called “dumpster divers” may target corporate trash-disposal bins to search for sensitive information.
The first line of defense against dumpster divers is to refrain from writing down passwords and usernames. If you do, however, and later realize a bit of notepaper bearing sensitive information has gone astray, change your password immediately. Even better, Tendell suggests setting up a reminder to change your passwords every 90 days. That way, even if you make a mistake without realizing it, you’ll limit the damage.
Whether the medium is discarded paper or misplaced or recycled devices, the loss of corporate data through unexpected ways is a huge risk, according to Tendell. And there are as many ways to lose data as there are devices and technologies to work with it. His advice: “As a business owner, you have to think about where data is being stored and moved.”