Don't Fake It When It Comes to Securing Sensitive Data on Mobile Devices
Boy, do I have a story for you. But first, some prerequisite background.
For MSPs (including ourselves) serving clients that handle sensitive corporate data or personal data that is protected by law, it's absolutely, unequivocally critical to have techniques in place that protect against data leaks – even those resulting from the worst case scenarios. Loss of corporate data can do incalculable monetary damage to a company, and loss of private personal data – such as social security numbers or medical records protected by HIPAA – are breaches subject to government fines large enough to potentially put a small or medium business out of business. More than this, companies are required to report these data breaches, risking reputational harm that can easily be more damaging and costly than the fines involved. And with personal mobile devices permeating today's workplaces, data has more ways to leak than ever if those devices aren't secured.
Sometimes you have a case that reminds you just how important it is for organizations dealing in sensitive data to be ready for anything. Allow me to present this true story we were part of, occurring late last year in Phoenix, Arizona:
An administrator at a medical practice (one that our company provides managed services for) had work to do over a holiday weekend and took his work laptop home with him. He was a longstanding employee, well-liked with great employee reviews – an individual you would absolutely trust to be a responsible caretaker of any sensitive data in his possession. Of course, we live in a Bring Your Own Device world now, where employees at many organizations might handle work tasks with their own smartphones, tablets or USB drives. It's good for productivity. And laptops are made to be easily portable, so what's the big deal about allowing those devices to leave the building?
It just happened to be true that the particular work laptop the employee took home with him contained patient information subject to HIPAA protections, as well as financial data that could very quickly do the organization damage if it fell into the wrong hands.
Then on the first workday after the holiday weekend, the medical practice received the phone call. A family member called to inform them that the administrator had died, killed in an auto accident.
Workers at the medical practice were appropriately distraught over losing the coworker they had known for years, and offered their condolences to the family and each other. They were also practically concerned over the laptop, though, and who now had access to that secure data. They informed the family member of the situation, who searched for the laptop but couldn't find it.
But wait a second. Our admin had gone home for the weekend. So where was the laptop? Somewhere at his house? Destroyed in a car wreck? Faced with the possibility of needing to report the situation as a data breach, the medical practice needed to do all it could to be sure.
Fortunately, as the medical practice's MSP, we had tools at our disposal. We'd recently implemented Beachhead Solutions' SimplySecure on the center's PCs and mobile devices, which enforce encryption and give us other remote data security tools, like revocation of access (’data quarantine,’ to use Beachhead parlance), remote data wiping, and other security and reporting tools. We quickly performed a check of the computer and it was indeed connected and online. By deploying another software program, the anti-theft tool Prey Project, it was possible to activate the laptop's webcam, in an attempt to see where the laptop was, and who was using it.
The image revealed none another than our deceased administrator, though he was, rather, very much alive and holed up in an RV in the desert. A dirt bike leaned against the wall behind him, and he was sitting and watching YouTube videos on a lazy Thursday afternoon. The police were contacted, and further traces located the rogue employee's position. The authorities discovered the man with the stolen laptop, a cool $8,000 in cash, and soon learned that the RV was stolen as well (that's one former administrator who Better Call Saul ).
While encryption is the driving force behind mobile device security (for laptops, in particular), it alone could do nothing to protect sensitive data from this once-authorized and still very much alive (ab)user – he had the credentials! You never know when data will be put at risk and you'll want to remove access to it or wipe all sensitive data from a device altogether. Whether via careless negligence (the more common occurrence) or by the malfeasance of an administrator who'd go so far as to fake his own death for a free laptop, the right tools can really save the day.
Wayne Klug is President at Spectrum Technology Solutions, a managed service provider of technology solutions in the greater Phoenix area.