Why losing a company device puts your business at risk
The thought of losing a company mobile or leaving a laptop behind is something everyone dreads, did you know that losing a company device puts your business at risk? The cost of replacing the old device is only a fraction of things to bear in mind.
Consider the information stored on the device, the value of which could be double the cost of the device, multiple or more. The loss can put your private data at risk as with a Smartphone loss the likelihood is that you were signed in to all social media accounts and mailboxes. Unless you had appropriate security then this information is all at risk no way of knowing how much data the finder may access.
A few other things to consider
If your device is found by a potential attacker then they could access your contacts and potentially impersonate you. With an imposter talking to your contacts via Texts or gaining access to e-mail or social media means they can gain extra information about you to steal information or attempt to extract financial data. Social Engineering is an attack often used by attackers and by providing access to your phone this makes the process easier.
E-mail is generally setup once on a device, a set and forget attitude can lead to a lost device easily being accessed. An attacker having access to your e-mail means they can use this information to impersonate you and in some situations can lead to fraud and financial loss. We often see issues involving Estate Agents where the public is convinced to send large amounts of money to fraudsters who intercept communications and pretend to be the legitimate firm.
With access to your e-mail accounts it can also make it easy for an attacker to gain access to other accounts. Simply using the forgotten password button on many websites only needs the reset e-mail to be clicked on and then access is gained.
A lost device could lead to fraudulent posts on Social Media, potentially embarrassing posts and content appearing on the platforms. Privacy concerns of your friends, if you lose your device logged into Social Media and an attacker sees content they shouldn’t then it should be your responsibility to break the news to your contacts.
Passwords & Credit Cards
Stored usernames and passwords are often saved by the browser to make it easier for you to login next time. This is convenient but also a risk if your device is lost without suitable encryption. Your browser can save access to your Cloud Storage, Social Media, Banking information and lots of other sites.
Should an attacker or untrustworthy stranger find your lost device they can potentially gain access to a lot of services you wouldn’t want anyone accessing. ?Unfortunately many users use the same passwords for multiple services, so they only need to gain access to a single service to suddenly be able to access a plethora of services even if the passwords weren’t stored on the device.
Many devices now have the ability to save credit or debit cards for future use. A very convenient feature when making payments online but a simple accident can lead to you having to cancel all your credit cards, even if your purse or wallet is safe at home.
Consider a lost device find the way to a competitor or the information on the device being posted online accessible by anyone. You may have company secrets that are now accessible on the lost device, your entire business could be exposed by leaving a device behind. Service accounts accessible with saved credentials, imagine someone logs in and deletes your services, posts profanity on your public services and website.
There are other things to consider, it is possible for an attacker to login to your mail services if an admin loses a device and create an e-mail address on your company e-mail system. This can then be used for social engineering over a period of time and this can often go unnoticed for months.
I understand we may be going overboard there as usually an admin should have sufficient secondary logins setup, however we shouldn’t make assumptions.
What Should We Do To Protect Ourselves?
Taking care of devices would be the most important step to take. We need to educate our staff to consider the impact of being forgetful, it is not just the cost of the device to consider it is all the other considerations above.
We also need to make sure our company IT Department puts necessary steps in place such as encryption, 2-Factor Authentication (2FA), complex password requirements. IT Departments need to also implement Remote Wipe so if a device is lost it can be wiped to prevent a leak of company data.
Encourage staff to use a Password Manager and not relying on a browser to remember the passwords, browser passwords are often not encrypted and can easily be accessed so if the browser asks for a password do not assume this is enough protection.