The combination of people gradually returning to offices and corporate campuses and the proliferation of BYOD (bring your own device) during the pandemic is not only causing headaches for CISOs and MSPs, but it’s also resulting in cybersecurity problems. “We are seeing so many devices left on trains, subways, buses, and in hotels,” says Alvin Ladd, an independent IT consultant in Newark, New Jersey, specializing in BYOD, “And, of course, in Ubers.” Ladd says this is the return of an old problem.
People have always been careless and left behind devices and electronics. Still, the problem is magnified in the post-COVID era because many people started using BYOD for their work.
Lost and found devices lead to exposed data
“As the number of commuters increases, so do the statistical odds of having devices left behind,” notes Ladd.
One study by ID Theft Center and reported on by Forbes estimated that between 2005 – 2015, 41 percent of all data breaches were caused by an unsecured lost or stolen device. Newer statistics are complicated, but anecdotal evidence points to the problem having not improved over time.
A recent visit to a Cleveland, Ohio RTA (train and bus transit hub) lost and found depot by SmarterMSP, revealed a classroom-sized room filled with unclaimed laptops, mobile devices, iPads, and chargers (and, of course, a lot of exciting non-IT items, like a tuba and a pool noodle). The amount of data in that lightly secured room was likely staggering.
“When a device is lost, that puts a tremendous amount of data at risk,” warns Ladd. “The devices you saw in that lost and found room are probably some of the better outcomes. The devices returned to lost and found are a small percentage of what is actually left behind; most items are out there somewhere, and some of them inevitably fall into the hands of hacks or others with ill-intent.”
The devices in lost and found that are never reclaimed are often recycled, sold, or disposed of, and the methodology for doing that, if it doesn’t follow best practices, can leave data exposed.
Can MSPs help police this situation?
“An MSP can do nothing to prevent loss. An `oops’ moment can and does happen to anyone, but the results can sometimes be catastrophic,” explains Ladd.
MSPs should make device retention part of user training.
“Simply making people more aware of the consequences of a laptop left behind can go a long way,” Ladd advises. “If people can just realize that leaving behind a device full of PHI or credit card numbers can cause major problems, they might look twice at their seat before getting off that subway.”
The importance of regulatory compliance
“There is still a lot of flouting – most unintentional – of rules and regulations regarding data retention and storage,” Ladd says. “A person who has a bunch of unsecured PHI on their laptop is probably in violation of several regulations.
So, user training needs to focus not just on the consequences of an unsecured device being left behind but also on making sure one of those human moments doesn’t spiral into something bigger.
“Companies can incur huge fines if it’s discovered that data is being improperly stored,” Ladd adds.
Heightened awareness is a necessity to prevent lost devices
“Everyone is in a hurry but check the seat before you leave the Uber.” says Ladd. “Look back at the seat before you exit your subway car. And if you realize you have misplaced a workplace device, immediately retrace your steps and check with the premises to see if they have a lost and found department.”
“The longer the device is lost, the less likely it will be recovered, and some places won’t even hang onto a device beyond a certain length of time,” notes Ladd.
MSPs should implement standard protocols for lost BYOD and workplace devices. The simplest precaution is having devices locked by a password.
“At the very least, you are making it harder for someone who finds a device to do anything harmful. It’s like having a lock on your front door at home. You’ve just made it harder for a burglar to get in. The burglar will still get in if they want to, but you’ve at least turned away the casual criminal,” Ladd explains.
So, what’s the solution?
There are software and configuration solutions that every MSP should implement as part of their BYOD and MDM program. Such solutions should include:
- Remote locking of devices.
- If your program offers this feature, lock screen messages that include the contact information of the rightful owner.
- Passcodes can and should be remotely reset when an item is lost.
- Depending on the device, you may be able to triangulate and pinpoint where the device is and send out a recovery team.
- Remote wiping of data.
Annual or bi-annual audits of what electronic devices employees are using and for what workplace purposes can also help MSPs create an inventory and consistent use and recovery policies. Stay on top of devices so what is lost isn’t found by those with ill-intent.
Photo: Farknot Architect / Shutterstock