Lost Laptops & Stolen Cells

Good morning, everybody, and welcome to this next webinar in our practical cybersecurity series, as today we’re going to talk about the issue of lost laptops and stolen cells.

Now let me remind you that if you like, feel free to type any questions into the Q&A console as we work through this today and will try to answer those during the webinar. And if you have questions and you’re watching this recording, please feel free to drop us an e-mail as we’d love to help you out and see what can be done.

What is the Risk?

This whole issue of lost laptops and stolen cell phones is really a much bigger deal than many of us actually realize. I was surprised to find out as I worked through preparation for this webinar that in the US alone roughly 3,000,000 smartphones were stolen yearly and you’ll find the URL about where that data came from later.

But not only are there 3,000,000 smartphones stolen yearly, there are also roughly 600,000 or greater laptops stolen during any given year. So when we stop and talk about this, this whole idea about stolen laptops and stolen cell phones is really a pretty big deal to be considered. It’s really a pretty big issue for us to think about.

It’s important for us to think about from a number of different reasons.
First off, if you’re the one who has your cell phone or your laptop stolen, obviously you can think about a number of different dangers. We had a friend one time who had their cell phone stolen from him in basically a mugging, and so they faced actual physical harm to what was going on and that was a bad deal and that was difficult for them for them.

But if your laptop or your cell phone are stolen, because in today’s world our entire digital life is carried across our devices, having that device stolen, it’s a number of potential risks. Obviously, identity theft is one that we think about and that seems to be big in the news all the way around. But besides identity theft, you’ve got financial loss. If you’re like me, you carry credit cards on your cell phone, and so if somebody gets that, they could then potentially start using your credit cards to be making purchases or you may have your bank account information there or URLs or passwords or any of those kinds of things. So financial loss can be a big deal that we think about when we talk about this.

Well, a lot of times we don’t think about them, is that the loss of these devices can also lead to threats to us, personally. I’ve included down here both the ideas of home invasions, financial loss, home invasion, and threats to family, and both of these are very realistic possibilities.

Someone finds your address, your personal information on it, something like that, and it’s potentially can come back to haunt you as perhaps your family comes under threat because of what was on your device and because of what people found there and then didn’t even mention.

When we talk about threats to family. If you’ve got photos of all kinds on your phone, it is totally possible in today’s world of AI for someone to take those photos and morph them into something that we don’t want, and so those can likewise become a threat.

So when you look at all of the different things involved, the idea of protecting your smartphones and your cell phones and knowing what to do with them is really important not only from a personal standpoint, but it even expands also and gets another facet when you think about protection from a business standpoint. So let’s start out working through this today and just talk about what in the world we should do to protect our cell phones and our laptops.

We’re going to look at it first off from a personal view as you, as you and your family, your loved ones, and then we’re going to move on into thinking about it from a business perspective as we talk about what’s there.

How Do I Protect My Personal Tech?

So how do I go about protecting my personal tech so that it stays safe and stays there as mine? Well, a number of these things that you’re going to find are going to be are going to be common ideas that you’ve all heard. For example, using a strong password or biometric authentication. Biometric means either face identification, fingerprint or something like that. And the idea of a strong password, while we all like stuff that’s easy to get into, yet strong passwords, biometric authentication are really important. I couldn’t tell you how many phones I’ve seen of individuals that have turned off the passwords or the pins, so that just as soon as you pick it up, it’s on and they think that everything’s OK.

Protecting that device with a strong password or some kind of biometric identification is going to be the first step as we talk about hanging onto our stuff.

But then if we’ve got stuff on our devices, particularly our laptops, we should enable encryption. If you’re using a Windows operating system, you’ve got BitLocker available on certain upper level additions of Windows. If you’re using the lower level additions of Windows, you don’t and so, honestly, it’s worth paying the small amount to upgrade to the higher level version so that you can get full disc encryption.
What this means, when you have full disc encryption, is that your entire hard disk or your entire solid-state drive is encrypted so that even if someone gets your laptop, they can’t just pull that disc or that SSD out and read it to find out what in the world you’ve got.

But besides enabling encryption on your personal tech we could talk about the idea of making regular backups to external sources or to the cloud, and this includes even backups off of your phone. I’ve had people who have years’ worth of photos stored on their phone. They lose their phone and suddenly they don’t have access to it.

This is not a complete list of things to think about. But whether you’re talking about your laptop, or talking about your cell phone, think about backing up files, photos and videos. You may have synced it to iCloud, Google Drive, something like that, but figure out how you’re going to keep at least a second copy someplace of your files, photos, and videos.

If you’re using some kind of a password manager, whether it’s one of the products out like, a Keeper or anything other password managers that are out figure out some way to do a backup of your password manager. If all of your passwords are on your phone and you lose that phone, suddenly you’re not going to have access to all of your stuff that you thought you should.

I knew somebody who within the past year actually lost their phone, did not have backups of their password manager and so discovered that they were locked out of everything–their entire digital life, so to speak–because they didn’t have any access to their passwords.

Well, a lot of people don’t think about though, is that if you’re using one of the main browsers, either Microsoft Edge, Google Chrome, Firefox, whatever it is; if you’re using one of those, be sure to sync your browser with your account. That way, the things that you’ve got stored, if you’ve got passwords that you inadvertently stored within the browser password manager or something like that, those will go ahead and sync up so that you can recover those too.

So it doesn’t matter whether you’ve got a phone, or a laptop, the idea of thinking through how you’re going to back up your data so that you have access to it is really important.

Then with regards to your personal phone, I would enable one of the find my phone features. Two well-known are the Android product, Find My Device the iOS product Find My iPhone. And as you turn both of those on, those both allow you not only to find your phone, but if potentially you suddenly discover that your phone is taking a trip across country with somebody else and it’s gone, you can remotely wipe those phones so that your personal information is no longer available to whoever it is that has your device. So I would sure definitely do those and be sure that the find my phone feature is enabled.

I would also probably attach someplace on the device, some kind of a physical tag with some kind of contact information. Now when I say contact information, I’m not saying your phone number and definitely not your address. But you may have it come to a generic Gmail account, for example, that you’ve got forwarded to your main e-mail account. Some way that if someone finds that your device that is lost that they can actually get in touch with you and get that device back to you so that it’s not totally lost.

Believe it or not, had that happen with a gentleman earlier this year, their device was lost halfway across the country. Someone found it. They were honest. They actually got in touch with this gentleman and they actually shipped the device back and returned it. So that actually can be a good way to help recover your devices.

But besides attaching some kind of physical device to it with your contact information, with regards to your phone specifically or with regards to any tablets or laptops that have cell phone access to them, I would record the phone IMEI or MEID numbers.
Now, basically, those are two numbers that attach that particular device to the cell phone network, and knowing what those two numbers are will let you turn around and give that to your carrier so that if your device is lost, they are totally able to detach that device from the network and help lock it down. So I would record both of those in order to help protect your device in the event that it really is lost.

But in today’s world, not only do we have to worry about personal devices, but more and more times we find that personal devices are being used within the business environment used under what’s called a BYOD structure – Bring your own device.

When we talk about using personal devices like our personal cell phones at work or sometimes personal laptops, when we talk about using our personal devices for work purposes, that introduces a whole new set of challenges and a whole new set of concerns.

First off, when we talk about BYOD, what in the world the world do we mean?

Well, generally BYOD refers to a program within where your employer allows employees to use personal devices for work purposes. And there’s different reasons why that can be done, why you might want that to be done. On the one hand, the company may do it for cost savings. For the employee, it may simplify their life. Rather than having to carry both a business cell phone and a personal cell phone, they just carry one cell phone that does both purposes, for example.

It’s also been shown that when employees are using their own devices that there’s a higher level of employee satisfaction by doing that.

So a lot of times the company does have a very valid reason to want to do that, and from the employees perspective, it does give benefits to do a bring your own device kind of deal. But bring your own device introduces a bunch of issues to think about, also.

For example, if you’re a business and you’re now having business data stored on individual devices, you may suddenly find out that you’ve got security risks, or data risk and in some instances even compliance risk by having that there.

So what if that employee looses that and it’s got some kind of important business information on that device? Well, if they lose it, where does responsibility lie and how is that handled? Or it may be that if another issue that as you talk about using personal devices for work is that you may have to think about how in the world are you going to keep personal and work separate on one device. After all, if that device is lost, you don’t want to wipe it and suddenly delete all the photos the individual had.

How Is Business Data Protected on BYOD?

So how do you keep personal and work separate if you’re using one device?

Well, that’s where there have been a number of different platforms introduced to help manage that situation, and a number of different ways in which business data can indeed be protected in a BYOD environment.

Probably one of the best known ways in which that is done is by taking a device and enrolling that particular device within some kind of business endpoint management service. Now I know that’s a big word in big terms.

If you’re in the Microsoft world, you’ve got what used to be called Intune or is now called Endpoint Manager. If you’re using a third party world, you’ve got Lookout, and right off the bat I’m forgetting what’s in the iPhone world. But some kind of manager that can manage it. 

Whatever you use, you want something that can manage not just Android devices, but also iPhone devices, so that ideally you’re covering everything, all of your devices within one endpoint manager.

And the way that that endpoint manager works, if you can imagine in your mind, imagine your mind a little bit, the endpoint manager in effect creates a separate space within that personal phone where it creates a partition or a section of that phone where just business data or just business apps are stored.

So if I can think that I’ve got my whole phone and I might take a piece of it here, and that piece is going to be used for business data and then maybe applications that you’ve got. If you want your team to have access to the mobile version of the office suite, for example. They would all stay within that partitioned area.

And being within that partitioned area let you do a number of things. Number one, it lets you create so that data is kept secure. For example, you can’t move business data off of the business side into your personal side, so you can’t just walk off with it in your phone.

You can’t take that business data and just do a copy and paste over here. And of course all this is assuming that you’ve had the policies configured correctly in Intune or Endpoint Manager, or whatever it is. And so you’ve got this data that is set aside that is partitioned into this own separate section of the cell phone. What it does it allows you, if that device is lost, you’ve got a couple of different options.

So let’s just say, for example, that you’ve got a team member who’s got 10 years of photos on their cell phone. And they also use it within the business, so you’ve got them enrolled in Endpoint Manager, and that team member loses their phone.

Well, they’re not sure if they lost it and they’ll find it again or if it’s permanently lost.
And yet, from a business side, if that phone is gone and out of the employees control, you need to take care of the business data so you don’t lose what’s important to your business.

So with something like Intune or Endpoint Manager, under that scenario, if the device is lost or stolen then that first option could be employed, where only the business data and the business apps are removed from the phone.

All the 10 years of photos and stuff are still there, and then if they find that that phone was just lost down behind the couch cushions, for example, they pull it back out, they’ve still got all their ten years of personal information. They don’t have business information and you’d simply reinstall it then at that point in time. So it allows you to be selective on what you do.

On the other hand, and we’ve had to do this, if you have a phone that is totally incompletely lost–say the owner has it stolen out of their hands as they’re walking down the street or whatever–and we had that happen–then you can take the second option and do a full device wipe. That means that not only is the business data removed off the phone, but likewise all of the of the personal data is lost too.
So you don’t have photos that can be taken and manipulated. You don’t have bank account information that he used the credit cards that are on it can’t be used.

All of this stuff in your personal digital life is removed because you know you’re never going to get that phone back.

So if you’re using BYOD devices within your business, some kind of endpoint management service like Intune endpoint manager, whatever really, really important to do so that you maintain control of the data that is yours.

Device Stolen? Do This–

Well, what I do if my device is stolen? How do I handle that if the device is actually gone?

Well, if your device is actually stolen and we’re talking about your personal device, then I’d probably start out and recommend some of these things. First off, if it is your personal device that is stolen and you’ve enabled things like find my Android or find, find my phone, or Find My iPhone on it, I would try to use those on your personal device to locate the phone, see where it is. And then if it’s genuinely stolen and lost, I would wipe it. You don’t want your data to get out there.

I would turn around and report to the authorities and along with authorities, I would add in credit card companies, those kinds of things, because you’re probably going to have to change financial information and all of those things that take place.

I would also report to the carrier that this phone was lost. You know the IMEI or MEID number? Your carrier probably has that record too. By reporting it lost, they can disable it on the network so that this individual cannot use it under your cell phone plan.

But if you do end up finding that device, even if your data is still on it, I would consider a factory reset. Now I know you’ve got all these years of phone of pictures out there and you don’t do that and I understand, but I would consider a factory reset simply because you don’t know what this other individual did with your phone while they had it. If they took us someplace. If they installed malware on it of some kind. If you just don’t know what took place. And so a factory reset may in many cases be the most logical thing to do, the most prudent way to handle that.

If the device that is stolen is a BYOD or a business device, the way that you handle this would be probably a little bit different. You’re going to report it to management, and if management has those devices enrolled in something like Intune or Endpoint Manager, they will wipe the business section or, if appropriate, do a full section wipe.

I would still go ahead and report it to the carrier, particularly if it’s a BYOD device that you’ve got. And if it’s a BYOD device, you’ve still got all your personal things to do, like reporting credit cards, reporting other information that may be there that needs to be handled. Changing credit cards. All those kinds of things.

And I would still look at doing a factory reset, because even if it’s a BYOD device, you don’t know exactly what happened. So factory reset may be a very important thing to do.

Well, that’s a lot to cover, I know, in a very short time frame, and if there’s anybody that has any questions, feel free to go ahead and type those into the Q&A as we’d love to participate with you right now. If, as we talk through this, there are more questions that come up. feel free to get a hold of us.

There will be a handout that will be available coming shortly about this, and likewise the webinar’s available for replay out on our YouTube Practical Cybersecurity channel.