How to Securely Handle a Lost or Stolen Device: A Practical Workflow

Last updated at Wed, 15 Nov 2023 22:11:03 GMT

It’s 10pm and you receive an email from a teammate that their laptop was stolen at a local networking event. You learn that not only was their computer unlocked, but they were logged into their company email and Salesforce accounts at the time the device was stolen.

Devices like laptops and phones hold a lot more value than the technology itself. Everything from customer data to company files and account logins are stored and easily accessible on these devices, making them easy targets for data thieves. From coffee shops to conferences and airplanes, employees are taking their company-owned devices everywhere, making the chances of something getting lost or stolen more than likely.

So, when it happens, you need to be prepared with a process. Where do you begin and what do you do to ensure that their accounts aren’t compromised and damage doesn’t ensue? In this post, we’ll show you how to prepare for and handle a lost or stolen device.

1. Enforce Physical Device Security

Especially if your team is often on the go or works in an open concept office, it’s critical that they follow a few key security policies. For one, they should know to lock their computer anytime they walk away from it, even if it’s for a quick coffee break. It only takes a second for a lucky onlooker from the outside to walk in and swipe up a device, and you can’t put that to risk.

Second, all sensitive business accounts (e.g. email, financial systems, customer databases, etc.) should have two-factor authentication turned on. This way, even if someone tries to steal one device, they cannot get in unless they have access to a second device owned by the same person.

Third, you should enforce strict password policies, especially for sensitive business accounts. Not only that, but they should be unique to each account. Using a password management service like 1Password or LastPass makes this easy to handle.

It’s important that you train all current and new employees on these policies, and explain to them why it’s important that they are followed— to safeguard the business.

Ongoing security training is also encouraged to reinforce this message and keep policies top of mind, especially if employees are attending conference where the risk can multiply.

2. Adopt a Least Privilege Policy

While not always popular with non-security folks, least privilege ensures that users only have as much account access as they absolutely need to do their job. For example, a junior engineer doesn’t typically need full production access, so only give them what they need on a day-to-day basis. By defining what various departments and roles need in order to get their job done, you limit the extent of access an adversary can get if one of their devices is stolen.

Let’s say your marketing team is at a conference and leaves their laptop unattended to go talk to a customer who walks by. If someone swipes their device, and they don’t have full range access to critical systems, the adversary can’t get too far. This can help mitigate a full blown issue and contain the possible damage to just a few accounts.

3. Create a Communication Pathway

When a device is lost or stolen, employees need a way to quickly report the issue. This ensures that any potential implications can be stopped early and, hopefully, before any damage is done.

There are multiple avenues you can to report when issues like this arise. You can have allow users to immediately report when there is a problem via:

• A dedicated security email address
• A dedicated Slack channel
• JIRA, PagerDuty, ServiceNow, TheHive, or other ticketing systems

Whether it’s 10am or 10pm, they should be encouraged to submit the issue so it can be tended to. From here, you should have security automation setup in a way that can handle much of the response for you, especially during non-business hours.

Platforms like Komand, for example, allow you to easily build workflows that can automatically log the user out of all critical accounts like Google, single sign-on apps like Okta, company directories (LDAPs), and identity access tools like Duo Security, among others. This way, the device can no longer access any of these accounts, and you and your security team don’t have to address it at 2am—it’s already handled!

When a device is lost or stolen, you can also trigger a password reset for all accounts on the device so that whomever has access to it cannot get in. Automating this process prevents alarms from waking your team up at night and keeps the business secure 24/7.

Once the account suspension or reset is complete, Komand can then notify the team of the resolution via Slack. Come morning, the team will see the details of the incident and breathe easy knowing it was taken care of.

Prepare Early, Protect Always

These days, there are more security incidents to prepare for than there are security pros to do it. But we consider device security one of the more critical areas of security to tend to early on. Since one device can gain an attacker access to a boundless number of accounts, it can easily be the cause of a devastating breach not unlike the ones that make today’s glaring headlines.

Security automation and orchestration can accelerate this entire process for you so you can still stay focused on the hundred other high priority tasks to tend to while ensuring this big one is covered.

If you're looking to explore security automation in your environment, you can download our eBook on Security Automation Best Practices.