Your associate walks into the office with a panicked look and tells you that she left her briefcase in her car on the front seat for only a moment to run and get a coffee and when she came back it was gone. In it was her laptop and her smartphone. Your mind races. What should you do? Because your firm has taken steps via prior proper planning and an Incident Response Plan you spring into action to mitigate the loss.
Document the Device Information
Your firm should keep a list of all devices used by firm personnel, especially mobile devices. This can be a simple spreadsheet that contains information about the user, the device serial number, manufacturer, series, make and model. On a laptop, the serial number can usually be found on a printed product label on the device itself or can be discovered using software or commands. Most laptop manufacturers have instructions on how to find the product or serial number online, like this documentation from Lenovo. If a device is lost or stolen, you should report it to law enforcement, your insurance providers (business, malpractice, and cyber liability) and you can check the StolenComputers.org to search for or list your stolen device by serial number.
Any laptops, tablets or smartphones, whether issued by the firm or a personal device used to access firm data, should have drive encryption enabled. The good news this is easy to set up on most smartphones, Windows 10, and macOS devices since it is built-in. If you have external storage devices, such as thumb drives or hard drives, these devices can also be encrypted. Older devices can be protected with third-party encryption software.
Change All Your Passwords
If your firm uses remote access protocols such as RDP, LogMeIn, or a VPN the password should be changed immediately by the admin. If you are using any cloud-based products, such as G-Suite or Office 365, the administrator can change the user password to remove access to email, online documents, and firm calendars. Change passwords to any online time/billing/accounting applications and practice management applications. Don’t forget to change passwords to any social media accounts and synched browsers as well. The email password should be changed first since a bad actor can use the email account to recover other passwords even if they are changed. Using a business-grade password manager, such as LastPass Enterprise or Dashlane Business can make quick work of changing all passwords and reduces the user’s ability to let the browser remember and fill the passwords.
Multi-factor authentication can help protect accounts from external access, but if someone has access to a trusted device and/or the smartphone to receive the SMS code the protections fall apart. Business ready password management applications provide multi-factor authentication so that there is a central administrative portal to deploy and update this protection. Alternatively (or additionally) firms should consider a physical authentication option, such as Yubikey. Biometric authentication, such as a fingerprint, is an option on many devices, though it is imperfect. If your firm has set up multi-factor or two-factor authentications for cloud products such as Office 365, practice management or G-suite then log in to the admin portal and forget the device so that it is no longer trusted and will require the additional factor to log in. Also, if you have used a Google or Facebook account to log into other accounts go and remove access in your account’s privacy and security settings.
Tracking and Wiping Devices
Android and iPhone users can log into the Google and Apple accounts to track their phones and remotely wipe the data next time the device is turned on. You can also change the screen lock message remotely to offer a reward for return and the contact information. For laptops, you can deploy Absolute (F/K/A Lojack for Laptops) or P-R-E-Y to locate the device and remotely wipe the data. More information and instructions for tracking and wiping different devices are in the CPM blog post “Simple Steps to Protect Mobile Devices”. If your devices are effectively backed up wiping the drive should cause no consternation.
You can either be prepared to act, mitigate the loss and protect confidential client information or you can sink into a chair with your head in your hands. There are many steps your firm can take to be prepared for similar situations with an incident response plan, but even without one, you can reduce the risk. At the ST&MP conference workshop in Cary on October 30-31st you will have the opportunity to write an Incident Response Plan so you are prepared for this and other scenarios.