Organizations spend a large amount on IT security, but they rarely devote enough resources to securing off-network assets, defined as data-bearing devices not always actively connected to the network. These assets might include older computers, copiers, and printers in storage, as well as those in use but not physically connected to the network, such as laptops, CDs, tapes, memory sticks, smart phones, personal digital assistants, and iPods.
These devices and machines account for the majority of data breaches—70 percent of them, according to the Ponemon Institute.
A new study, “Preventing Off-network Data breaches: Securing the Final Mile,” hopes to help bridge this gap. “Companies have been jumping through all sorts of technological hoops to improve security,” says Rob Houghton, president of the risk consulting firm Redemtech, which sponsored the study. But with off-network security, “a little nuts and bolts effort” can “create a lot of value.”
While many companies have off-network policies, the follow-through is often disorganized, according to the study, which polled security professionals at 735 organizations. While 73 percent of companies reported loss or theft of data-bearing equipment in the prior two years, just 30 percent said they thought the loss of the device would ever be detected.
In addition, 86 percent of respondents reported that their company had a formal policy for safeguarding off-network equipment, but 48 percent said there was no formal communication of the policy, or they were unsure whether one existed. “That’s disturbing, given the regulatory requirement about reporting breaches,” says Houghton.
Compared to the complex demands of network and database security, off-network risk reduction is straightforward, though not simple, says Houghton.
Perhaps the two most important steps are to develop a good policy and to create some basic metrics and accountability. “At a minimum you want to track inventory variances so you can reconcile two sets of numbers and make sure everything adds up.”
Houghton gives as an example a company that is decommissioning and moving a group of desktop computers. Companies should list the serial numbers of individual computers during the decommissioning process and then review the numbers again during the receiving process.
Bolstering off-network security can generate additional efficiencies, he adds. Companies are likely to improve the overall return on their hardware by improving how it’s tracked.
One Redemtech client, a financial services firm, instituted some particularly strong off-network policies after a highly publicized data breach. Houghton says employees have been told they’ll lose their jobs for not following the policy.
“If you leave your laptop on the backseat of your car, and it gets stolen, you'll get fired…. That might sound draconian, but I think many employees understand that it’s in the business’s best interest.”