Have you ever left your laptop or phone unattended in a public place? You may have thought nothing of it, figuring that your device was safe enough. But you’re playing with fire. And although your actions might seem harmless, when it comes to cyber security, they can have serious consequences.
Let's explore why safeguarding your hardware devices is important and examine ways to prevent potential cyber attacks.
Physical access means potential compromise
Should someone gain physical access to your laptop or mobile device, even for a short amount of time, they could not only read your messages and access, edit and steal your documents and information, they could also install malware and compromise your accounts. Believe it or not, it could happen with a simple action like plugging in a USB drive, running a script, or getting malware from a malicious website. Bad actors can also impersonate you by sending messages from your account. Think of it this way: you safeguard your privacy by protecting your devices against theft.
Let’s take a closer look at the impact of poor cyber security practices on you and your organization.
Transcript
[The text “Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité” appears onscreen.]
[The text “Canada School of Public Service | École de la fonction publique du Canada” appears onscreen.]
Abbas’ Blunder
Many cyber threats are opportunistic and take advantage of circumstances that will benefit the threat actors.
[A computer with three connecting points, a laptop, and an information system appear with a stack of cash in between them. Target icons then appear on each object.]
Information and IT systems are valuable, and obvious vulnerabilities or easy targets will often be exploited, such as Abbas’ mistake.
[Abbas, with glasses and curly hair, appears.]
Meet Abbas.
[SPLIT SCREEN: Abbas is working with his colleague at the same desk; on the other side he is working at his desk at home. Abbas sometimes works at the office and sometimes works from home. A laptop with a screen that says “No Connection, Retry”, which then transitions to a screen with a file folder. A pointer appears and clicks on the folder and then the download icon. Four folders appear with the download icon on top.]
Sometimes, he’s unable to connect to the work network; so, he's gotten into the habit of copying files onto his desktop, so that he can work on them from home, even when he’s not connected.
[Abbas stands next to his white car, which he locks and then walks away.]
One Friday, Abbas came home and left his laptop in the back seat of his car.
[At night, a thief in a burglar suit appears with a flashlight and breaks the window to the car. He then runs away with a laptop bag.]
Someone broke into his car that weekend and stole his work laptop.
[Two threat actors kneel by the laptop bag and pull out a sticky note with passwords written on it. A laptop screen shows a lock opening and many file folders appearing.]
The threat actors found a list of passwords inside the laptop bag and were able to obtain the data stored on the laptop, including some HR documents that Abbas was working on along with several hundred sensitive personal files of employees.
[Abbas has a panicked look on his face while his supervisor reprimands him. His colleagues are at their desks working in the background.]
Abbas' department had to determine what information went missing when the laptop was stolen.
[SPLIT SCREEN: A man panics after finding out that his information was stolen; a laptop screen shows an email with the description “How to protect yourself after a privacy breach.”]
Employees whose information was stored on the laptop had to be notified about the privacy breach and the need to protect themselves against a greater risk of future fraud and identity theft.
[A female employee is interviewed about the incident.]
A few of these employees spoke to the press about the breach.
[Bullet points appear.]
Abbas could have kept his department and the employees safe by following his organization's procedures for handling government assets and information, including his laptop, while working from home. He could have spoken to someone about implementing an appropriate workaround instead of circumventing safeguards.
[Green checkmarks appear over the bullet points. A hand writes down passwords on a sticky note next to a laptop with a blank screen. A red ‘thumbs down’ icon appears on the laptop screen.]
Oh, and let’s not forget that writing your passwords down and keeping them near your device is never a good idea. Although this is not a true story, the Government of Canada has had to remedy this type of harm. Avoid repeating Abbas’ blunder.
[This video was co-created by: Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité, Canada School of Public Service | École de la fonction publique du Canada.]
[The Government of Canada logo appears.]
Tips for safeguarding your hardware devices
- When you’re not using your mobile phone or laptop, make sure to store it in a secure location like a locked room, drawer or cabinet. Don’t leave your devices unattended in your car or in a public place, like Abbas did. At the office, keeping your devices safe may involve measures like locking your laptop when you step away from your desk. In government offices and businesses, locked doors, ID card scanners, access cards, CCTV cameras and the presence of security officers all serve to protect hardware.
- Instead of using hard drive storage, use only corporate information management (IM) systems. These systems reduce the risk of data loss due to hardware failures, theft or accidental deletions. They come with built-in security features such as encryption and access controls, ensuring the protection of sensitive information. What’s more, IM systems provide real-time communication and access, allowing for easy collaboration among team members regardless of their location.
- Don’t travel with your GC work devices outside of Canada. Mobile devices, like all government devices, are issued for work purposes and are Protected B assets that hold sensitive data and provide access to government systems. The Policy on Service and Digital allows for limited personal use in Canada. However, government mobile devices should only be taken outside Canada in cases of approved business-related travel. More guidance specific to travel is available here.
Other measures that may be put in place by your organization’s IT or security team:
- Encrypting devices, especially mobile ones like USB drives and laptops, for added security. Encryption is the process of converting information from one form to another to hide its content and prevent unauthorized access. It encodes (or scrambles) information to protect its confidentiality. Think of it as an extra layer of protection for the sensitive data stored on your device. With encryption, no one can access your data or programs without having your credentials. Your department already uses encryption for many applications, including encrypted messaging applications and secure browsing.
- Implementing Multi-Factor Authentication (MFA) for lock-screens. Locking your screen with MFA involves two elements: locking with something you know (a password, PIN or pattern), combined with something you have (fingerprint or a unique code generated by an authenticator app). The combination of a password or pin code and a thumbprint is a good way to protect your device from threat actors.
- Using a device finder, which is an application or tool designed to locate misplaced, stolen or lost devices. Such tools use GPS, Wi-Fi or Bluetooth technologies to pinpoint the exact or very near location of a device. For government work devices, it’s put in place and managed by your IT team, who are there to help should you ever need to locate your work device.
- Ensuring devices have a remote wipe feature. Remote wipe is a security feature that remotely erases the data stored on mobile devices. In the government context, the process is initiated by your departmental IT team. The remote wipe feature protects data from being compromised or stolen if the device falls into the wrong hands. It’s also a good idea to have data backup measures in place to prevent data loss.
By following these tips, you can safeguard your devices and data from cyber threats. Take the course Discover Cyber Security (DDN235) to learn more. And stay cyber alert!
Resources
- Course | Discover Cyber Security (DDN235)
- Course | Cyber Security in the GC and Online Exposure (DDN233)
- Course | Privacy in the Government of Canada (COR504)
- Course | Access to Information and Privacy Fundamentals (COR502)
- Article | Level Up Your Cyber Security Skills: Stay Ahead of Evolving Threats!
- Article | Cyber Security Tips to Protect Yourself
