Prevent stolen tablets, smartphones, and laptops with these basic tips.

David Ellis, Director of Forensic Investigations
By: David Ellis
Practically every business has access to at least one laptop, tablet, and smartphone. For many organizations such as a local restaurant or clinic, these devices help provide quicker access to information, transactions, and services than ever before.

A problem with physical data security begins when users forget to adequately protect these devices. We inadvertently abandon our technology devices in
unlocked offices, forget them on subways, leave them in our cars, and let our kids play with them. According to Healthcare IT News, 9 of 10 of the largest Health Information Portability and Accountability Act (HIPAA) data breaches were caused by physical security issues.
If you store, transmit, or process sensitive data on a device, you will be held liable if any of that sensitive data is lost.
If there is a compliance guideline behind that data, serious repercussions, including financial penalties could arise. Standards like the Payment Card Industry Data Security Standard (PCI DSS) or HIPAA include such data protection requirements and consequences for mishandling sensitive information.

Consider implementing these basic physical security guidelines to your business strategy to protect trade secrets, customer data, and your business.

SEE ALSO: Physical Security: What You Aren't Thinking About

Control physical access to your workplace

The best way to control the physical threat is through a physical security policy, which includes all the rules and processes involved in preserving the business. If you keep confidential information, products, or equipment in the workplace, keep these items secured in a locked area. If possible, limit outsider office/business access to one monitored entrance, and (if applicable) require non-employees to wear visitor badges at all times.

Don’t store sensitive information (like payment card data) in the open. Many hotels keep binders full of credit card numbers behind the front desk, or piled on the fax machine, for easy reservations access. Unfortunately, that also means the collection of files is easy access to anyone within arms reach of the front desk or fax.


Keep inventory of all removable devices

Not allowing devices to go home with their users is an important step to keeping data out of the hands of criminals. Some healthcare offices require their employees to check out a tablet each morning and return it to a locked safe at day’s end. Each user has an assigned tablet slot, and it is obvious if the space is left empty.

Another solution you might consider is attaching external GPS tracking technology on all laptops, tablets, external hard drives, flash drives, and mobile devices.

SEE ALSO: Balancing Mobile Convenience and PHI Security

Document physical security processes

It’s crucial to document the who, what, when, where, and why of device use to determine the responsible party if data is lost. Items that should be documented include a list of authorized users, locations the device is assigned or is not allowed, and what applications are allowed to be accessed on the device.

Oddly enough, it’s also recommended to document what sensitive data your business is trying to protect. Obviously, that must also be protected, and strict controls must be placed to allow access only to authorized users.

Download a free physical security policy template.

Train your employees

While you care about customer card information, patient data, or your own proprietary data, your employees may not. That’s why regular security trainings are so important.


Social engineering is a serious threat to smaller businesses. A social engineer uses social interaction to gain access to private areas, steal information, or perform malicious behavior…and your employees fall for their tricks more often than you think.

If a man walked into your storefront and told you he was there to work on your network and needed you to lead him to the server room, would your employees think twice to further identify him and verify his presence?

SEE ALSO: Social Engineering - It's OK To Be Paranoid

Train your employees to question everything! It’s better to be safe than sorry. Establish a communication and response policy in case of suspicious behavior. Train employees to stop and question anyone who does not work for the company, especially if the person tries to enter back office or network areas.


David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.