Lost and Stolen Assets

2023

Please provide the information below to view the online Verizon Data Breach Investigations Report.

First Name: Last Name: E-mail: Organization: Organization type Country:

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

I confirm I have read and understood

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Gracias.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Gracias.

You may now close this message and continue to your article.

Resumen

This pattern continues to be a problem for organizations because these small (and not so small) devices are just so portable. We’ve seen their capacity to store large amounts of data increase over time, while employees’ ability to misplace them (or External actors to steal them) remains predictably common.

What is the same?

Devices and media are still more likely to be lost by Internal actors than stolen by External ones.

Frequency		2,091 incidents, 159 with confirmed data disclosure
Threat actors		External (92%), Internal (68%), Multiple (60%), Partner (1%) (breaches)
Actor motives		Financial (100%) (breaches)
Data compromised		Personal (87%), Medical (30%), Other (21%), Bank (13%) (breaches)

Where go my laptop?

The headline in this pattern is “Your stuff is gone,” which isn’t really a news flash. Whether the missing item(s) had “help” in the form of someone stealing a laptop, or was accidental, as in classified printed documents being mislaid in high-level government officials’ residences, the more portable an asset is, the more it needs protection against loss and theft.

This is a pattern where we see a high percentage of incidents not resulting in confirmed data breaches—largely because the status of confidentiality disclosure remains “at-risk” rather than “confirmed” due to the loss of custody of the asset in question. The exception is printed material, since no controls exist to shield documents from view once printed. Similar to last year, we again have less than 10% of the incidents as confirmed data breaches.

While stolen devices certainly represent a risk to organizations, employees are much more likely to cause a breach accidentally through loss. This fact has held true year over year on a consistent basis, as shown in Figure 46.

What is going missing, you may ask? Unsurprisingly, it’s the portable user devices, such as laptops, and mobile phones. In fact, phones have become quite the commodity (Figure 47). Considering the fact that no one ever seems to put them down, it’s hard to believe so many are lost.

CIS Controls for consideration

Protect data at rest

Data Protection [3]
– Encrypt Data on End-User Devices [3.6]
– Encrypt Data on Removable Media [3.9]

Secure Configuration of Enterprise Assets and Software [4]
– Enforce Automatic Device Lockout on Portable End-User Devices [4.10]
– Enforce Remote Wipe Capability on Portable End-User Devices [4.11]