Physical Security: Using risk to help get the monkey off your back
"Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat!"
I often see business security strategies that have been driven by security controls frameworks or by compliance, rather than being driven by their identified risks. As a consequence, the business leaders (who are heavily reliant on their security specialists) agree to many initiatives without having the information they need to make an informed choice.
Remember, the business executives got to where they are because they are good at doing business and not because they understand security concepts. When you've been in the security industry as long as I have, this is something that is very easy to forget.
What may seem to be common sense to the security professional is often not so clear to the business executives and, in reality, why would it be?
This is where talking about things in terms of risk can make a difference within the business. Executives within the business may not be proficient in security concepts but something that they will be able to relate to are things that may impact their businesses.
Mobile Device Theft: A Non-Traditional Threat
Despite this being a threat that most organizations consistently face, it is one that businesses rarely directly address as a risk. Even well-renowned security industry guidance fails to acknowledge or include this in their documentation. For example, in NIST's SP 800-124 Rev. 1
Guidelines for Managing the Security of Mobile Devices in the Enterprise, there are no references to the non-traditional threat of opportunist thief stealing a mobile device outside of an organization's facilities:
"2.2.1 Lack of Physical Security Controls
"Mobile devices are typically used in a variety of locations outside the organization’s control, such as employees’ homes, coffee shops, hotels, and conferences. Even mobile devices only used within an organization’s facilities are often transported from place to place within the facilities. The devices’ mobile nature makes them much more likely to be lost or stolen than other devices, so their data is at increased risk of compromise. When planning mobile device security policies and controls, organizations should assume that mobile devices will be acquired by malicious parties who will attempt to recover sensitive data either directly from the devices themselves or indirectly by using the devices to access the organization’s remote resources".
Not everyone has a 'Trunk Monkey'!
According to Homeland Security, in the United States, there are an estimated 200 million smart mobile devices and 2 billion such devices worldwide. Within DHS, more than 38% of employees have government-issued mobile devices, totaling approximately 90,000 devices in use.
Each of these has an attractive monetary resale value to the traditional criminal.
Okay, so you're the Information Security Manager for a global manufacturing company and a key part of the business-to-business (B2B) operations require your Sales teams to travel around to your customers. Despite having a mobile device policy, you are still receiving numerous reports of the Sales team's laptops being stolen whilst they are transiting between locations.
You review existing policy and discover that this clearly states:
When traveling by vehicle, should you need to stop in a public area, all mobile devices must be stored out of sight (preferably locked inside the boot/trunk of the vehicle).
All seems good with this policy statement, so you start your investigations. During every interview with each of the Sales team members who had their laptops stolen, they all had their laptops stolen whilst stopping for a break at a Service Area and that all of them had followed policy and locked their laptops in the boot of their cars.
Was this just the criminals getting lucky?
Was this an inside job?
Or was it something else?
Well, continuing the investigations the Sales team were asked to describe their activities on the day that their laptops had been stolen......
The Gotcha moment
Every Sales team member had, in fact, been following this policy. However, everyone, of them had left Location A, to travel to Location B but had not considered whether they would need to stop en route. Consequently, on leaving Location A they had put their mobile devices in the main body of their cars, and on needing to stop (remembering the policy statement), they secured their laptops, out of sight, in the boots/trunks of their cars. On returning to their vehicles, they had discovered that the boots/trunks had been brute-forced and the mobile devices had been stolen.
In doing so, they were advertising to the opportunist criminals that they had a valuable and attractive item, as they moved their laptops into the boots/trunks of their cars.
Now, the Sales teams had been doing nothing wrong but it was the policy statement that had not been written with consideration to the business risks.
Cost of a Laptop Theft
It is estimated that a laptop is stolen every 12 seconds and, n 2009, the Ponemon Institute broke down the actual business costs associated with the loss/theft of a laptop. Factoring all the loss of productivity, data loss, replacement costs, etc. they estimated that the average costs attuned to an average value of $50,000 per device.
Now, in most instances, the criminals are not seeing these laptops as being data sources but valuable and attractive items that they can quickly sell and make a profit from and they see this as being a virtually victimless crime - Don't all businesses have insurance?
Reconsider your mobile device policy statement, based upon risk. How might a risk-based statement improve things and help to reduce this risk?
When traveling by vehicle, before setting off you should consider the length of the journey and the likelihood of needing to stop en route. Should this be extremely likely, before setting off on the journey, employers must securely store any mobile device in an out of sight location (perferably inside the boot/trunk of the vehicle). If in any doubt, always favour on securely storing the mobile device in an out of sight locations prior to setting of on the journey. This will help to reduce the risks of an opportunist criminal observing an employee stopping in a public area and needing to move the mobile device into an out of sight secure storage area.
Educate those members of your business that could be impacted by this threat, so that they understand the risks and how this policy statement has been developed to reduce the associated risks.
If your business leaders and the employees appreciate this risk they are more likely to support and adhere to this policy, in a manner that helps to mitigate this threat. However, people make mistakes and there will be occasions when they forget but should this happen, they are more likely to be aware of their surroundings when moving the mobile device into the boot/trunk of their vehicles.
Ensure that the security strategy has been developed from valued input from your business's key stakeholders. They know the business and what is important to ensure that they can remain productive, operational, and profitable.
The mitigation of identified risks that could undermine your business's capability to fulfill its mission statement or objectives should be your primary driver to any security strategy development.
Do not automatically assume that people are the direct contributor to mobile device thefts, so it is important to understand the processes that led to the criminals' opportunity to steal the laptop. Remember the 3 pillars of security - People, Process & Technology and your policies should reflect the appropriate rules for reducing the risks associated with your technologies and processes.
The development of an effective security strategy needs to align with the business, so it is important that the strategy is developed with the business and not in isolation to it.