The Cost of Poor Protection: How to Prevent Your Hardware from Being Lost or Stolen

When protecting your business from threats such as data loss, a lot of attention goes on securing assets such as databases, applications and cloud servers where sensitive information is stored or processed. However, you also need to look at your physical security, especially when it comes to hardware.

PCs, laptops and smartphones are just some of the items that will contain highly sensitive data on their hard drives, in addition to other details such as password info and links to key business applications. And as well as the threat of cybercrime, endpoint security strategies also need to account for the risks facing the hardware itself - especially the danger of devices being lost or stolen.

The high cost of lost or stolen devices

Lost or stolen hardware is a major problem for all organizations. For example, one Freedom of Information request made by Viasat found that between June 2018 - June 2019, UK government employees lost more than 2,000 devices, with the Ministry of Defence alone misplacing 767.

Overall, 1,474 items were reported lost, 347 were stolen and in 183 cases it was unclear what the cause was. What's more, nearly 200 devices may have been unencrypted, while only 249 were recovered.

It's therefore no surprise that lost devices are a major cause of data breaches reported under GDPR rules, with research by DLA Piper suggesting this is a factor in 24% of cases. However, despite this, many organizations have no plans to improve encryption on hardware such as portable hard drives (40%), desktops (37%), laptops (32%) and mobiles (31%).

Losing devices or having them stolen can lead to issues including:

• Financial penalties from regulators
• Loss of crucial intellectual property or trade secrets
• Disruption to day-to-day activities
• Reputational damage
• Direct costs such as replacing hardware and building new security measures

Even the smallest device could lead to a big problem. In 2018, for instance, Heathrow Airport was fined £120,000 ($164,133) by the Information Commissioner's Office after a USB memory stick containing over 1,000 unencrypted files was misplaced and found by a member of the public.

Hybrid working practices raise the risks

Endpoint security challenges are being made even harder at the moment by a change in the way many people work. Brought on as a result of the COVID-19 pandemic, 'hybrid working', which sees employees split their time between the office and home, is set to be a major trend in the coming years.

45% of firms in the US expect a hybrid workforce to be the norm in the second half of 2021, compared with just one in three (32%) that will be primarily office based. Meanwhile, Microsoft noted that although 73% of workers want flexible remote work options to remain, 67% still want more in-person time with their teams.

This will inevitably mean that many more devices such as laptops will be carried on commutes between homes and offices on a regular basis, much more so than with full-time remote working practices.

As employees require instant access to data and applications wherever they are, this in turn will greatly increase the number of opportunities for devices to be left on trains or buses, or for opportunistic thieves looking for targets at stations, coffee shops or bars.

Even if people are working remotely full-time and their device never leaves their home office, you still have to consider the risks of theft. Employees may not have the same security protections at their home as you do in the office, especially if they're among the growing number of people embracing the "shoffice" trend by converting outbuildings into workspaces.

Protecting your hardware from loss and theft

Given that human error is the main cause of lost or stolen hardware, employee education must be a top priority for tackling this issue. Training should emphasize the importance of individuals taking responsibility for their equipment and what their liability will be if they fail to take care of their hardware.

This needs to apply whether the device itself is supplied by the company or personally owned as part of a bring your own device scheme. It's vital that employees understand the costs of any loss or theft go far beyond replacing the device itself, as it’ll often be the loss of data contained within it where the real issue lies.

While prevention is certainly better than cure when tackling such data breaches, you should be taking a few key steps to mitigate the impact in case a device is stolen or misplaced. At an absolute minimum, this means protecting all data with strong encryption technology and ensuring any access codes are complex and not stored in plain sight on or near the device - as even though it's a basic security failure, may people still write down passwords on sticky notes.

Technologies such as mobile device management that can remotely wipe a device of data should it be lost are also hugely useful tools. But at the same time, you should also set up an inventory system for all devices so you can keep track of who has items and where they’re at all times.

It's also important not to overlook physical security measures for any devices on your premises, as these are locations you have more direct control over. Tools such as perimeter controls, comprehensive CCTV and a secure, access-controlled server room are essential in ensuring your vital data is safe from threats.

If you're focusing only on your cyber defenses and neglecting physical security, it's all too easy for someone to casually walk in through the front door and undo all your good work.