The cost of lost and stolen gadgets

In our gadget obsessed world, just the thought of losing a phone, laptop or tablet is enough to bring most of us out in a cold sweat. Cut off from emails, social media and instant news, just a couple of hours without your phone can feel like forever. Not to mention the ordeal of losing your data and photos along with it.

But, aside from the personal trauma of being left adrift from the internet, losing a portable gadget is worrying for other, more serious, reasons. Because if your phone, laptop or tablet ends up in the wrong hands, you could also be at risk of data theft, cyber attacks and social engineering, plus the potential for financial and reputational damage to boot.

In this blog we’ll look at the real risks behind losing your gadgets - or indeed finding them -, including...

• What risks do you face when using, and losing, portable devices?
• What steps can you take to protect portable devices and data?
• What steps should you take in the event of losing a portable device?

What risks do you face when using, and losing, portable devices?

Data security

To state the obvious, once you lose control of devices, whether that’s a USB stick, external drive, DVD, phones or laptops (and the list goes on) - you effectively lose control over all the data on it, and who accesses it. And that can leave you and your business or employer vulnerable in a whole host of ways.

There are numerous examples of what can happen when portable data devices go astray. In a bad year of data breaches for British Airways, a member of the public found a USB stick lost by a BA team member which contained sensitive information about airline staff. The result: the Information Commissioner’s Office (ICO) hit BA with a £120,000 fine in October 2018 and the business has subsequently rolled out a company-wide information security training programme to stop it happening again.

And it’s not just businesses where this has occurred. Greater Manchester Police (GMP) was involved in a high profile case in 2017 after unencrypted DVDs containing victim interviews were lost in the post en route to the National Crime Agency - resulting in a £150,000 fine. The ICO determined that GMP had breached data protection law by failing to keep highly sensitive personal information secure and not taking adequate measures to protect against accidental loss.

Loss of sensitive personal information

Then there is also all your own personal data to think about, which could comprise usernames and passwords you’ve stored insecurely, giving access to everything from bank logins to social networks and work platforms. Embarrassing in the best of cases but perhaps more pertinently, you’re opening you and your business up to Social Engineers.

Social Engineering

Just a few pieces of your basic personal information skimmed from your device can be used to devastating effect in the wrong hands.

Unscrupulous individuals can use data as simple as your name or phone number to start building an in-depth profile of you, by combining it with additional details gathered from elsewhere. And before you know it, you could be a victim of a social engineering attack.

For example, Social Engineers might start with a simple call to find out whether your software is up-to-date, or the name of your IT manager; information which seems perfectly innocent at first. They also prey on the natural instinct of your employees to be friendly and helpful – particularly those in sales or customer service roles.

The statistics show that plenty of businesses fall for it, with a recent report finding that 60% of enterprises were victims of social engineering attacks in 2016 and nearly a fifth of those (17%) having their company financial accounts accessed as a result. Meanwhile, the Federation of Small Businesses (FSB) estimates that these attacks cost small businesses over £5bn each year. So, it pays to be on high alert after a device goes astray.

Malware Infections

It isn’t just losing a gadget that can be fraught with risk - what about devices that you’re given, pick up, or that are planted in your workplace?

“Infected” USB sticks are a hotbed of viruses, trojans and assorted ‘malware’, which are uploaded by hackers to purposefully infect your computer.

The malware could be destined to take control of a computer, upload files, track browser history, infect software and even give remote keyboard control to a hacker. In many cases the problems can’t be patched, infected files can’t be cleaned, and the infection is almost impossible to detect.

One of the most recently reported instances of this kind of attack was the “DarkVishnya” string of bank robberies, which took place in 2017 and 2018. Attacks were carried out on Eastern European banks’ computers via USB sticks, laptops, Raspberry PI and “Bash Bunnies” (a special tool for carrying out USB attacks) planted by individuals purporting to be couriers, job seekers, client representatives etc. A reminder to always check the credentials of anybody let into your building, and particularly areas where sensitive data is being processed.

‘Charging’ Malware

Using a flash drive isn’t the only USB security risk. Many modern laptops can now be charged through the USB port, a tremendous convenience, but one that can easily leave a machine open to attack.

Much like thumb drives, these small USB chargers are borrowed and shared, and lost and replaced without much thought. And like USB chargers, they can also be booby trapped to inject malware, rootkits and other malicious infections into a computer, allowing the hacker access to files and data at will.

Random USBs

Also bear in mind that hacking a machine doesn’t need to be covert or complex. There’s both real and academic research revealing that in some cases, hackers are simply dropping infected USB sticks in crowded places and waiting for a curious public to plug in to their machines.

One example can be found in digital news company Mic, researchers dropped a few hundred USB devices around the University of Illinois. 48% of the 300 devices they dropped were picked up and plugged into a computer...

And one last note on USBs, even deleting the information from a USB drive isn’t always effective for security, as the devices can leave traces or even full copies of files behind just waiting for an expert hacker to recover them later.

Financial implications

All of this can work out pretty expensive, particularly in the new world of GDPR (post May-2018), where compromised data can mean fines of up to 4% of a business’s annual global turnover or €20 million - whichever is greater.

Reputational Risk

Not only that but a data breach can also have serious ramifications for your brand’s reputation, particularly if client data is involved. So in the event of a breach or attack, make sure you react swiftly with media statements ready to go as soon as possible, being very clear on the impacts, who’s affected, the actions you’re taking and an apology.

Proactivity in containing the breach and minimising damage will go a long way towards regaining trust. More on this in our blog on how to respond to a cyber attack.

Your customers are at risk!

Your customers are frequently the first exposed to risk in the event of a company’s data breach, so make sure they’re informed immediately so they can minimise the damage to their own accounts and data. They’ll also want and deserve clarity on the steps you’re taking to secure their information from further attacks, as well as understand if there’s a need for financial compensation.

What steps can you take to protect portable devices and data?

There are a number of preventative steps you can take to help protect your devices and data:

• Use Cloud-based SaaS platforms with robust authentication rather than risk carrying data on laptops, DVDs, USBs etc).
• If you must use a USB (and many organisations have rightly locked these down and banned them), at the very least make sure you use encryption services like Bitlocker
• Use a password manager like 1-Password which creates and stores complex long-string passwords. And if you feel a password is compromised, you can quickly change every other password at the click of a button
• Make sure all the platforms you use have 2-Factor or Multi-Factor Authentication set up alongside your normal secret word - this makes it a little more difficult for hackers to break-through
• Text-messaged based 2-Factor Authentication is convenient and superficially useful but it isn’t actually especially secure given the ease with which mobile numbers can be ported to another device.
• Instead think about adopting an offline ‘key’ which you plug in to your mobile device - this then authenticates your ID through encrypted parameters. Yubikey is a good example. Google claim to "have had no reported or confirmed account takeovers due to password phishing since we began requiring security keys as a second factor for our employees"
• Passive Authentication - The most UX friendly option has to be biometrics (fingerprint analysis, face recognition, iris-scanning etc.), so you physically ARE your password. These can also operate alongside behavioural analytics conducted by the organisation, to provide a 'confidence rating' that you (and not a 'bot') are accessing the service.
• There are some devices and software applications that provide encryption out-of-the-box which can help, BUT for most people, the impact on ease and convenience tends to overrule security concerns.

What steps should you take in the event of losing a portable device?

1. Inform

Immediately alert your employer, the authorities and your insurer that you have lost a device so that they can lock down access where appropriate, and put in place fall-back plans.

If you identify or suspect a risk to customer data, then your fall-back plans will need to include communicating with the Information Commissioner’s Office (ICO) within 72 hours of a breach.

Likewise, if payment details are compromised then businesses should also inform the PCI Security Standards Council, which regulates the security of payment information.

Superscript’ Chief Underwriting Officer, Ben Rose, detailed everything you need to know about GDPR in a previous blog.

2. Track the device

Laptops, mobile phones, even car keys, can all be tracked via GPS - this information could be vital to you and the police.

3. Prevent personal information access

Change all your passwords, ideally via a password manager for convenience, speed, and sophistication. Some devices allow you to lock your storage, delete your data or flag the device as stolen.

4. Deactivate

You won’t be able to track your device after you’ve done this, but it will help to prevent thieves obtaining your personal information, resetting your device and adding a new sim.

Related links

• Everything you need to know about GDPR
• Superscript GDPR Insurance
• Business contents insurance