This article was originally published in IT Pro Portal.
A Texas city, the Canadian Northwest Territories government, an Irish telecom provider, and a California supermarket chain. What ties them together? They were all impacted by headline-making data breaches involving the theft of data from an endpoint device.
Unfortunately, the string of incidents is not surprising given that 70 per cent of data breaches today originate on the endpoint and 15 per cent of them are caused by lost or missing devices. Not to mention major U.S. metros are still on alert as the “smash-and-grab” crime trend continues with cities like San Francisco reporting about 73 car break-ins per day in August alone, with laptops on the list of most in-demand and easy-to-snatch items.
It’s estimated that by 2020, the global spend on IT security is predicted to total a staggering $128 billion. But the physical thefts of laptop devices from office places, cars or otherwise, are still causing pain in the form of data leakage, exposure and regulatory issues. There are valuable lessons to be learned here, especially when endpoint breaches can be devastating to an organisation in terms of fines, reputational damage, lawsuits, and irreparable damage to customer trust.
To help organisations strengthen their endpoint security postures, we took a lens to several notable incidents that prove how vulnerable our endpoints continue to be and outlined our key takeaways:
- Irish telecom company, Eir leaks data of 37,000 customers: The data of 37,000 customers of Ireland’s largest telecom provider, Eir, was compromised when an unencrypted device was stolen from outside an office building. The laptop contained personally identifiable information (PII) including names, email addresses, phone numbers, and Eir account numbers. It had been decrypted by a faulty security update the previous working day. The company was forced to report the incident to the police as well as the Data Protection Commissioner.
- Stolen laptop exposes data of 10,000 Raley’s customers: Raley’s experienced a data breach affecting 10,000 pharmacy customers. The data included sensitive patient information as well as identification numbers and prescription drug records. Raley’s could not confirm whether the data had been accessed or misused, nor could they confirm if encryption was in place.
- Stolen laptop compromises Houston’s health plan: A laptop stolen from an employee’s car may have contained protected health information (PHI) records of the city’s staff, including names, addresses, dates of birth, social security numbers, and medical information. The organisation couldn’t tell if data was accessed or if encryption was in place, so they had no choice but to treat the incident as a data breach.
- Stolen laptop exposes health data of 80 per cent of N.W.T. Residents: A laptop was stolen from a locked vehicle in Ottawa, Ontario containing PHI of 33,661 residents of Canada’s Northwest Territories. The data included names of patients’ names, their birth dates, home communities, healthcare numbers, and, in some cases, medical conditions. The stolen laptop was a new device so the encryption process either failed or was missed.
These examples show how easy an unnecessary breach can occur. But when one laptop is stolen every 53 seconds, according to Gartner, and the average total cost of a data breach is $3.92 million, it is wise to ensure organisations have measures in place to prevent putting their data at risk. Here are the top three takeaways we can apply to endpoint security strategy, as risks continue to heighten in today’s IT landscape:
- Lack of visibility is a common denominator. There is a common thread across all of these cases: a lack of endpoint visibility and an inability to prove that data protection technology was in place and functioning at the time the device went missing. In addition, there was no way to know if data was accessed post incident and certainly no way to ensure the device was remotely disabled and all personal data deleted. When it comes to endpoint data protection, you’ve likely already purchased the necessary security tools, namely device encryption. The Raley’s case, though, is a reminder that there are unencrypted devices out there and attackers know it. Organisations must have the visibility to know that their controls are, in fact, turned on and working. There’s massive risk associated with not knowing the answer.
- The efficacy of endpoint security tools diminishes significantly over time. Despite the increase in IT security spending, endpoint attacks are still common. Recent research shows investment in security is wasted as endpoint controls predictably decay. The reasons vary, from controls being disabled by users to underlying services becoming disabled or broken and/or communication channels inside of the operating system (OS) breaking or experiencing disruption in some way. There is no scarcity of tools and controls. The problem is that these things are not naturally resilient. If you’ve got multiple agents on the device, beware that complexity is in itself a vulnerability and understand that less may, in fact, be more. IT, security, and risk professionals are wise to focus on streamlining and simplifying when it comes to securing their organisations’ data.
- Endpoint security is endpoint resilience. It may be counter intuitive, but endpoint controls are fragile. Compromise happens not because there are no guards, but often because controls compete for resources and some thrive while others fail, which defeats the goal of safeguarding data, systems and assets.
It’s important to understand that security tools conflict and collide, and that where there is friction there is decay. We must also acknowledge that these tools must be deliberately controlled in order to improve endpoint resilience.
Back to the basics
Building endpoint resiliency and improving endpoint security requires us to get back to the basics of cybersecurity and hone in on the most critical elements for ensuring data protection at scale: people, process, and technology. It is only then that organisations can start to buck the trend of spending more of their IT budget on endpoint security while still seeing endpoint data breaches grow in frequency and severity.