Share This:

The combination of people gradually returning to offices and corporate campuses and the proliferation of BYOD (bring your own device) during the pandemic is not only causing headaches for CISOs and MSPs, but it’s also resulting in cybersecurity problems. “We are seeing so many devices left on trains, subways, buses, and in hotels,” says Alvin Ladd, an independent IT consultant in Newark, New Jersey, specializing in BYOD, “And, of course, in Ubers.” Ladd says this is the return of an old problem.

People have always been careless and left behind devices and electronics. Still, the problem is magnified in the post-COVID era because many people started using BYOD for their work.

Lost and found devices lead to exposed data

“As the number of commuters increases, so do the statistical odds of having devices left behind,” notes Ladd.

One study by ID Theft Center and reported on by Forbes estimated that between 2005 – 2015, 41 percent of all data breaches were caused by an unsecured lost or stolen device. Newer statistics are complicated, but anecdotal evidence points to the problem having not improved over time.

A recent visit to a Cleveland, Ohio RTA (train and bus transit hub) lost and found depot by SmarterMSP, revealed a classroom-sized room filled with unclaimed laptops, mobile devices, iPads, and chargers (and, of course, a lot of exciting non-IT items, like a tuba and a pool noodle). The amount of data in that lightly secured room was likely staggering.

“When a device is lost, that puts a tremendous amount of data at risk,” warns Ladd. “The devices you saw in that lost and found room are probably some of the better outcomes. The devices returned to lost and found are a small percentage of what is actually left behind; most items are out there somewhere, and some of them inevitably fall into the hands of hacks or others with ill-intent.”

The devices in lost and found that are never reclaimed are often recycled, sold, or disposed of, and the methodology for doing that, if it doesn’t follow best practices, can leave data exposed.

Can MSPs help police this situation?

“An MSP can do nothing to prevent loss. An `oops’ moment can and does happen to anyone, but the results can sometimes be catastrophic,” explains Ladd.

MSPs should make device retention part of user training.

“Simply making people more aware of the consequences of a laptop left behind can go a long way,” Ladd advises. “If people can just realize that leaving behind a device full of PHI or credit card numbers can cause major problems, they might look twice at their seat before getting off that subway.”

The importance of regulatory compliance

“There is still a lot of flouting – most unintentional – of rules and regulations regarding data retention and storage,” Ladd says. “A person who has a bunch of unsecured PHI on their laptop is probably in violation of several regulations.

So, user training needs to focus not just on the consequences of an unsecured device being left behind but also on making sure one of those human moments doesn’t spiral into something bigger.

“Companies can incur huge fines if it’s discovered that data is being improperly stored,” Ladd adds.

Heightened awareness is a necessity to prevent lost devices

“Everyone is in a hurry but check the seat before you leave the Uber.” says Ladd. “Look back at the seat before you exit your subway car. And if you realize you have misplaced a workplace device, immediately retrace your steps and check with the premises to see if they have a lost and found department.”

“The longer the device is lost, the less likely it will be recovered, and some places won’t even hang onto a device beyond a certain length of time,” notes Ladd.

“At the very least, you are making it harder for someone who finds a device to do anything harmful. It’s like having a lock on your front door at home. You’ve just made it harder for a burglar to get in. The burglar will still get in if they want to, but you’ve at least turned away the casual criminal,” Ladd explains.

So, what’s the solution?

There are software and configuration solutions that every MSP should implement as part of their BYOD and MDM program. Such solutions should include:

  1. Remote locking of devices.
  2. If your program offers this feature, lock screen messages that include the contact information of the rightful owner.
  3. Passcodes can and should be remotely reset when an item is lost.
  4. Depending on the device, you may be able to triangulate and pinpoint where the device is and send out a recovery team.
  5. Remote wiping of data.

Annual or bi-annual audits of what electronic devices employees are using and for what workplace purposes can also help MSPs create an inventory and consistent use and recovery policies. Stay on top of devices so what is lost isn’t found by those with ill-intent.

Photo: Farknot Architect / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

All Posts

10 Comments

  1. bob March 31, 2022 at 10:05 am

    Full disk encryption.

    Reply

  2. dave j April 1, 2022 at 10:09 am

    and enroll all devices in a MDM

    Reply

  3. Moss Jacobson April 1, 2022 at 11:52 am

    I agree this is a growing issue. Device management should be SOP at this point for the paradigm shift toward distributed workforces. All tools should be considered to secure devices – encryption, MFA (physical keys?), device location services, remote device management/wipe – just to name a few. This should all be taken into consideration for smartphones and tablets, too, as more workers rely on using multiple devices for task completion.

    Reply

  4. Jesús García April 5, 2022 at 8:02 am

    Disk encryption and use of MFA

    Reply

  5. Craig Walls April 5, 2022 at 10:05 am

    Encryption should be a requirement before the devices are allowed to access any sensitive data. The key in training is to make sure users know what to do if (when) such a breach happens. We’ve had cases where the user didn’t know who to call because all of the details were on the missing laptop!

    Reply

  6. Larry April 5, 2022 at 12:12 pm

    Great article

    Reply

  7. Don Ribar April 5, 2022 at 12:15 pm

    Valuable message but I’m tired of reading about “people gradually returning to offices and corporate campuses”. Many workers have been back full time to offices or never (really) “left” including us and plenty of our clients.

    Reply

  8. Eric Goldstein April 5, 2022 at 12:17 pm

    This is definitely happening more frequently and is a growing problem. Employers must enroll devices with encryption and MFA to help prevent breaches from happening.

    Reply

  9. Scott K April 5, 2022 at 4:17 pm

    Very timely article. Thank you for the recommendations.

    Reply

  10. Matthew Hickman April 12, 2022 at 1:01 pm

    We mix full disk encryption, MFA, screen lockouts, SSO, etc to help combat these tactics as well.

    Great article.

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *