Cybersecurity Awareness Month: The HR Department's Missing Device

PDF

October is cybersecurity awareness month, and this year Maynard’s Cybersecurity & Privacy Team will be bringing you five spooky stories of cyber attacks, data breaches, and other terrifying tales. Released each Monday throughout the month, we hope these frightening accounts help you avoid your own cyber nightmare.

First up is the horror story of the HR department’s missing device.

Late one Halloween night, Joe, the Director of HR at Pumco, a preeminent pumpkin spice manufacturer, got a flat tire while visiting the town of Haddonfield. In the midst of putting on a spare, Joe noticed a stranger in a bloody hockey mask wielding an axe rapidly approaching. Joe, ever the pragmatist, abandoned his repair efforts and fled the scene. Departing in haste, he left his company laptop on the front passenger seat. The following afternoon, Joe returned to find his car present but his laptop gone. On the seat was a note that said, “you thought I was an axe murderer, but I’m really an axe burglar.” “Man,” he thought to himself, “I really wished I wouldn't of locally saved those spreadsheets on my desktop named, 'SENSITIVE INFORMATION_COMPANY EMPLOYEES_' that just so happened to contain the Social Security numbers, driver’s license numbers, and dates of birth of all 1031 Pumco employees.” When Joe reported the incident to Pumco’s security department, things went from bad to worse when everyone realized his company laptop was not tracked in an asset inventory list, the hard drive was unencrypted, and no remote wiping capabilities existed.

One traumatic experience, a lost laptop, several regulatory notices, and 1031 notices to impacted individuals later, Joe and Pumco had learned a valuable (albeit costly) lesson. Though Joe’s night terrors persisted, he started to save documents containing sensitive information in the online HR portal – even going so far as to protect his account with two-factor authentication. Pumco’s security department ventured forth with renewed vigor to inventory, track and encrypt all company-issued equipment.

Don’t be haunted by lost and stolen devices:

• Prohibit employees from locally storing sensitive information on company/personal devices
• Establish a comprehensive asset management program
• Inventory, track, and encrypt company laptops
• Reinforce secure data handling policies in employee training

If you have any questions about how to improve your organization's cyber resiliency, contact a member of Maynard’s Cybersecurity & Privacy Team.