Spetmber 7th 2016
What's the issue?
Recently one of our clients had a break-in at their small financial services office. Along with the NPC computers that were stolen, there was evidence that the thieves also targeted paper documents. Criminals know that business information is worth much more than the devices alone. But good news for this company, if there can be good news when something as traumatic as a break-in occurs, is that there was no loss of personally identifiable information (PII) and therefore no risk of loss or requirement to report to their clients. If this had happened in an office with unsecured computers and lack of a clean-desk policy, the outcome would have been detrimental to the business and their clients, as it was evident that these thieves were looking for more than just electronics, they wanted data.
Thankfully, this particular office had security measures in place to protect both digital and hardcopy data, with an effective clean-desk policy and NPC computers. We were able to confirm that all of the computer data was strongly encrypted at the time of loss and that backups were current. With embedded tripwires in place, the encrypted data is remotely destroyed if there is an attempt to extract data from the stolen devices. These additional built-in preventative measures, the trip wires, are necessary; experienced thieves know that putting a stolen device that is properly secured back on the Internet would result in its immediate detection and trigger a remote destruct of the data, as well as identify the location of the culprits. All NPCs feature a complete data backup run on a daily basis so client data can be restored to replacement computers within 48 hours. As for paper documents, the company enforced a clean-desk policy in which sensitive information isn't left in the open, but instead locked in file cabinets. It's important to have a clean-desk policy for any office as information on paper documents sit in plain text and can be read immediately. That type of data loss will be an immediate threat to the identity and financial security of clients, and copies of some of those documents may be hard to come by to continue working.
We advocate for secure computing because the risk of not taking the correct measures for data security can for any company range from major inconvenience to catastrophic. The information a company collects from their clients, vendors and other parties is not only important to the company and the owner of the information, but is also valuable to criminals. Data like PII and credit card information is often sought for and sold on the black market. Financial Services and Healthcare are the top two industries targeted by criminals for this reason.
What should I do?
This incident points to the pervasiveness of cyber-threat for any size of business, and that paper documents in a locked file cabinet are just as important as data on a properly secured computer. Business owners need to consider the measures they have in place for storing both digital and paper data. To achieve an even higher level of confidence in your data security plan, scanning paper documents onto a properly secured computer will give you the best piece-of-mind possible. When it comes to physical theft, proper device security and encryption is the best way to keep intruders from ever seeing your data.