The Register recently reported that a quarter of banks data breaches are due to lost laptops and phones.
Let’s look at that for a minute, because it shows that there’s some basic blocking and tackling that needs to be put in place. I suspect that the vast majority of that loss isn’t due to active attack, rather due to regular loss and theft. A determined attacker (the classic evil maid scenario for example) is a different situation. There’s some straightforward solutions that could dramatically cut down on this particular threat.
Have an endpoint policy.
The first step in controlling your environment is to know what connects to it. The policy should require that all endpoints used for business purposes (including BYOD) be registered and managed by the company. Staff needs to be aware, through annual security training, that only managed and registered devices are allowed. The policy keeps honest people honest, and provides rationale for sanction or termination if staff deliberately work around the restriction.
Define acceptable configuration.
An organization should have a set of minimum OS versions allowed on endpoints. That’s the single greatest risk – running an out of date, unpatched OS with known vulnerabilities (XP and non-current Android versions I’m looking at you). If it’s out of date, it’s not allowed. Second, the endpoints need to be configured with basic requirements – user ID, screen lockout, password policies, encryption with key escrow, remote wipe (for mobile), no risky software (e.g. torrents), and so forth.
Technically enforce both.
Assuming that there are policies in place, the organization needs to have the capability to ensure that unauthorized devices cannot connect to the network. That’s is a whole topic by itself, but it’s also a problem with known solutions. Hard yes, but not rocket science.
The next step in controlling endpoints is to implement an endpoint management automation solution. This should include both asset management, patch management, and configuration management – in other words, what is the device, who owns the device, is the device on a current (approved) operating system version, and is it configured in accordance with security policies?
This isn’t rocket science either – while there’s no universal solution across computers and mobile devices, within each of those there are rock solid options that make this a no-brainer to accomplish.
One key part of enforcement is the ability to prove that a device was in-policy when it was lost. An encrypted laptop that’s lost is a capital loss, not a data breach. But it only can be counted that way if the organization can prove that it was in-policy.
A word on BYOD.
I’m seeing a trend away from BYOD being allowed, which is unfortunate. I like BYOD – I use it myself, because it enables me to do a better job than I could with corporate issued equipment. I get riled up when I hear people complain about the intrusiveness of corporate controls on BYOD – after all, BYOD is an option, not a right. If a user doesn’t like the technical enforcement tools, then they can carry two devices. But a company can no longer safely allow unmanaged BYOD devices.
In the end…point.
If it’s true that 25% of breaches (a breach is when data has been exposed, but not confirmed to have been lost) are due to lost and stolen endpoints, then that shows a lack of basic industry practices (not even best practices – just average). It’s only a matter of time before there’s class-action litigation against a company that fails to follow these basic steps.