The James Bond and Jason Bourne films would be a great deal duller if the secret agents got hold of their information by taking a cheeky peek at their antagonists’ laptop screen. Instead, of course, these films feature gadgets galore, with clever data-gathering devices disguised as a range of everyday items.
Movies exist to entertain, not to provide worthy lessons about data security. But a more accurate portrayal of international espionage would feature far fewer gizmos and many more pieces of what John le Carré called ‘tradecraft’. This can involve something as simple as a bit of sleight of hand to pocket a USB drive, or ‘shoulder surfing’ to read a confidential document.
Businesses spent almost $100 billion on information security in 2018, yet even this incredible sum seems to be making little impact on the number of breaches. A report by analysts 451 Research found that more than a third of 1,200 global firms reported a security breach in 2017, up from a quarter the previous year.
- When traditional security doesn't cut it anymore
- Why you need an integrated approach to cyber and physical security
- Shut the blinds: why physical threats can't be forgotten in cyber security
The report’s authors pointed out that while businesses are struggling to deal with the impact of digital transformation, “security spending focusing on the data itself is at the bottom of IT security spending priorities, leaving customer data, financial information and intellectual property severely at risk”.
It’s not just logical
Physical security may seem more humdrum and less “sexy” than logical security tools such as encryption and endpoint protection. But just because Jason Bourne doesn’t use a privacy screen on his laptop doesn’t mean that the physical side of security isn’t just as important as the logical.
Think about it. How many times have you walked down the aisle of a train or aeroplane and seen people working on a spreadsheet, presentation, email or document in full view of other passengers? A quick glimpse of an email signature, meanwhile, can tell a criminal exactly who the person is and so inspire them to steal a device when the mark’s back is turned.
The consequences of a breach are the same whether the data has been hacked from a corporate network or stolen from a physical device, and the GDPR doesn’t make a distinction between logical and physical breaches. Take the case of the lost USB stick at Heathrow Airport last year, where sensitive personal data of up to 50 aviation security personnel was revealed. Had the USB storage device been protected with encryption or a password, the airport would have avoided the bulk of the £120,000 fine handed down by the Information Commissioner’s Office.
Even better, of course, would have been to ensure that the USB stick had not gone missing in the first place. And this is where businesses need to make much greater efforts to instil the importance of physical security in every employee.
Developing a physical mindset
No-one is arguing that employees should lock away their laptops and other devices whenever they’re out of the office. It’s possible to work on the go and stay secure. All it takes is a little education and the right tools to keep data safe.
Take the privacy screen we mentioned above. You might have seen these in action: if you’ve ever wondered why someone is working away on laptop even though you can’t make out anything on the screen, it’s because the user is employing a special screen that ensures the monitor is only visible from a very narrow viewing angle. These devices are both effective safeguards against “shoulder surfers” and cheap, too. Yet they are far from common, even in enterprises where employees routinely deal with sensitive information.
Similarly, businesses need to step up their protection against device theft. Again, stolen hardware might not seem like the most pressing priority when it comes to information security; yet figures from the FBI show that laptop theft is one of the world’s top three computer crimes.
Given that many IT hardware thefts are opportunistic crimes, employees can afford themselves a high degree of protection by using a cable lock for their device. It only takes a second to steal a laptop or tablet when the owner’s back is turned. Ensuring that a laptop is securely tethered is one of the best ways to stop someone walking away with the device – and your data.
Physical security should be part of every organisation’s cybersecurity defences, but it also requires more than investing in locks and privacy screens. Given that humans are the weakest link in IT security, it’s vital that all employees with remote access to sensitive data are fully trained in ‘tradecraft’. In other words, they should be made aware of common mistakes that lead to lost devices and stolen data, such as the spy lurking over their shoulder. Using privacy screens and cable locks needs to become second nature, not a behaviour that’s only learned after they’ve been successfully targeted by a criminal.
It doesn’t take the cunning of a George Smiley, the inventiveness of a “Q” or the financial resources of MI6 to make major improvements to the way organisations protect sensitive data on the move. Just a couple of highly affordable peripherals, together with a little time invested in educating employees about the risks and how to combat them, is all a business needs to do to take a huge leap forward in cybersecurity.
Marcus Harvey, Sales Director EMEA at Targus
- We've also highlighted the best secure drives
