See your link here
So, encrypt already
7 comments- TAGS:Administaff, data, Home Depot, laptops, lost, TSA
- IT TOPICS:Security
In recent days, the Transportation Security Administration (TSA), Home Depot and Administaff have managed to join an ignominious list of organizations that have lost laptops containing sensitive and personally identifiable information.
None of them apparently had encrypted their data to protect against a breach in the event the systems were lost or stolen. This year alone, there have been more than 60 separate incidents involving potential data compromises resulting from lost or stolen laptops and desktop computers, according to the Privacy Rights Clearinghouse (PRC), which maintains a chronological list of data breaches starting around the ChoicePoint incident (remember that?) in 2005. That number represents more than 20% of the 270 or so disclosed data breaches listed on the PRC web site since January this year.
According to most security analysts I speak to, it's baffling really why none of these organizations thought about encrypting the data on these systems before the incidents happened. The analysts are baffled. I'm baffled. What part of encryption don't companies get? From what I can gather, data encryption these days is a fairly straightforward thing to do and not quite as hard to manage as it was a few years ago. There are any number of vendors in the market offering everything from whole disk encryption to file, folder and field-level encryption capabilities -- all of which can be implemented without the user having to do anything about it or even knowing about it.
Sure there's a cost, especially for large organizations with tens of thousands of systems that may need to be protected. But, say the analysts, it's far better to invest in prevention than to spend a whole lot more on clean-up. It's that whole "ounce of prevention" thing. Sage advice.
So why is it that so many organizations have still not implemented encryption, at least on their laptops and other mobile devices? Laptop losses aren't exactly rare. And it's not like companies have much choice left any longer anyway. Industry standards such as the Payment Card Industry data security standard and rules in several states explicitly require companies to use encryption for protecting data.
I'm willing to bet anything that each of the organizations that suffered data compromises from lost laptops and desktops had antivirus tools and firewalls and anti-spyware tools protecting the data. These tools are a given now. It's the basic cost of entry, if you will, to own a laptop or any device that connects to the Internet. But such tools don't buy any protection against system loss or theft. So isn't it well past time to start thinking of encryption in the same way that companies think about anti-virus and other desktop protection tools and just implement it already? To paraphrase the old Nike shoe ad: Just do it.
Print
Email this
Digg this
