[This post is the twelfth in a series. The original post can be found here.]
Lost or stolen laptops, smartphones and USB sticks are frequently involved in major data breaches. This is because they often contain large amounts of confidential or sensitive information (e.g., client data, firm and personal information, usernames and passwords, etc.) and they are also easily lost or stolen as they are small and very portable. You can significantly reduce your exposure to breach involving a mobile device by doing the following things:
- Take steps to prevent mobile device theft or loss;
- Make it harder to access information on the device; and
- Configure remote “find and wipe.”
Preventing theft or loss
Here are some very easy ways to prevent the loss or theft of your mobile devices:
- Never leave your portable devices unattended in a public place.
- In particular, don’t leave them in your vehicle – even locked in the trunk is not safe;
- To be a less obvious target, use a briefcase or bag that does not look like a standard laptop bag;
- Inexpensive cable locks from Targus (targus.com) and others can help deter a casual thief, but are no obstacle for a determined thief with cable cutters; and
- If you are staying at a hotel, put the device in a safe in your room or at the front desk.
Making it harder to access data on the device
If a device is lost or stolen, you want to make it as difficult as possible or someone to access the information on it. This is very easy to do. As a first line of defense, you can enable the startup password. After enabling this feature, anyone turning the device on will be challenged or a password and they won’t be able to see any information on the device. Most laptops and smartphones have this feature. However, while this should protect the data on the device from the average thief or person that might find a lost device, someone with specialized knowledge can bypass these built-in password-protection features.
For an extra level of security you can use encryption, which scrambles the data on a device making it very difficult for someone to access it. Some devices have an encryption feature in the device operating system, and, if not, you can use a third party encryption program or app. Truecrypt is a widely used encryption tool that works on many different platforms.
One other option to consider: if you allow remote access, have people travel with a device that has no client data or other sensitive information on it. They can use it to access client data in the office via remote access and if the device is lost or stolen there is no lost information to be concerned about.
You may want to keep in mind that current case law provides that law enforcement does not need the permission of a device owner to access information on a device that is not password protected.
Device locators and remote wipe
To prepare for the eventuality that of one of your smartphones, tablets or laptops gets lost or stolen, you should enable or install device locator and remote wipe functionalities. These features are built in on some devices, and there are many third party programs and apps that do the same things. Using GPS technology or the tracing of IP addresses, you can potentially view the location of your device on a web-based map, sometimes along with where and when it was last used. Just in case the device is lost in your residence, you can also trigger a high volume ring to help you locate it, even if the device is on silent or vibrate. If the worst has happened and it appears that the device is permanently lost or was stolen, you can usually lock the device so no one can use it or access the data, and you can also remotely tell the device to do a factory reset, which will delete all data on it.
Beware of data theft with USB sticks
Tiny, high-capacity USB sticks are commonly used for moving data around. A combination of three things makes them a major security concern: (1) they are very easy to use, (2) they are compact, lightweight and ultra-portable, and (3) they can store huge amounts of information. They are, in other words, the perfect tool for a disgruntled or soon-to-be ex-employee who plans to easily and quickly steal firm data.
How do you protect yourself? Make sure you have appropriate security and access rights to confidential client and firm information on your firm’s computers and servers. Auditing file access may help you spot someone who is accessing information they should not. Consider disabling USB ports on firm computers used by people that have no reason to use USB sticks.
Dan Pinnington is the Vice President of Claims Prevention at practicePRO. This article first appeared in the December 2013 issue of LawPro magazine. Reprinted with permission. For more cyber safety tips, visit www.lawpro.ca.