Lost devices leading cause of data breaches, report

Phishing scams and ransomware attacks may grab the headlines, but for the financial sector lost or stolen mobile devices were the leading cause of data breaches over the last decade.

A Bitglass report found 25.3 percent of data breaches that have occurred since 2006 were due to malicious actors getting their hands on a corporate mobile device. This is well above the 19.2 percent of breaches that were caused by hacking, the 14.1 percent due to unintended disclosures and the 13.1 percent of incidents caused by company insiders.

The report does not disclose how many devices are lost, nor how many of those might end up in the hands of a malicious actor, but the fact that many employees have access to key corporate information means any loss can be catastrophic.

“This gets at what constitutes a breach - even if a device were lost due to an employee's carelessness, the organisation must still disclose that event because there is some chance that the data may fall into the wrong hands. Given the volume of sensitive data accessed by employees on a daily basis, it's inevitable that some will find its way onto devices and that some devices will be lost or stolen,” said Salim Hafid, Bitglass product manager, to SCMagazine.com in an email Thursday.

 

Bitglass sees part of the solution to this problem as better utilising the cloud. The cloud offers improved infrastructure and application security with teams dedicated to staying several steps ahead of hackers, the report states, which allows sensitive corporate information to be offloaded from devices that can be misplaced or stolen.

Hafid also offered up some additional suggestions.

“The reality is BYOD and access from outside the corporate network are becoming more common, and it's the organisation's responsibility to ensure adequate data security is in place. That means limiting access in risky contexts, encrypting data at download, and enforcing some device-centric controls like remote wipe and device passcode locks,” he said.

The report noted that those serving in the financial services sector are not only being singled out for attack, but have already suffered data breaches.

In 2014 37 data breaches were disclosed in the financial services sector, jumping to 45 in 2014 and almost double to 87 in 2015. And in the first half of 2016 five of the largest 20 banks in the U.S. have endured a data breach.