Don’t be a Laptop Loser
Earlier this year, a laptop containing salary details, addresses, dates of birth, national insurance numbers and phone numbers of some 26,000 employees went missing from a printing firm, which was writing to workers at a major retailer about pension changes. Also, at a large public sector organisation, sensitive information about more than 16,000 council workers was put at risk as the result of another laptop theft. Identity theft is the possible result of such losses.
In the UK, the instance of laptop thefts outside the home or office increased on average by 6% in 2006; and in some areas, year-on-year increases were up to 45%.
Awareness of the necessity to protect data resident on laptops is still very low. According to the UK’s Department of Trade and Industry (DTI) Information Security Breaches Survey 2006, only one company in seven actually encrypts data on hard disks. The tendency is to be concerned with the cost of losing the machine rather than the cost of losing the data on it, which is likely to be a much higher expense.
Low awareness of these issues may be because we don’t hear a lot about laptop losses. We just tend to hear about major errors when data on laptops is lost by publicly-accountable organizations, such as the police, the military or government bodies.
If personal information is lost on a stolen laptop, there could be serious consequences for those to whom that information refers. Identity theft is one very worrying possibility. In addition to this concern, company-sensitive information is often held on laptops, which businesses wouldn’t want competitors or even anyone outside their organization to see.
The irony of this situation is that companies can easily and inexpensively protect themselves from this kind of data leakage from laptops by using encryption software.
In the past, poor performance and high costs prevented the use of this type of solution, but today’s high performance and low cost products make it impossible to justify not encrypting laptops. Such products can operate transparently in the background, so laptop users won’t find them difficult to use. Solutions are capable of providing complete encryption of a laptop’s hard disk, as well as a user authentication procedure which makes the hard disk secure.
This indicates that the failure by businesses to make proper use of encryption is not due to technology lag or excessive cost. The technology is mature, sophisticated and sometimes already integrated. The argument against the cost of encryption is defeated when compared to the alternatives; regulatory compliance failure, fraud and reputation damage.
The failure for proper take-up should be placed at the feet of improper risk assessment and management. It is often either Board-level mismanagement for failure to act on identified risks, or poor risk assessment and communication from the IT Group.
The ROI of centrally managed, mobile encryption systems should be clear, even when including the additional costs generated by the additional IT Helpdesk workload when assisting with key/data recovery and management.
Increasingly, as companies become more aware of high profile data losses and conclude that they need to act, they are identifying areas where they need to deploy encryption - obviously on laptops, but also for e-mail, network attached storage, USBs, mobile devices, etc. This has led to increased interest in UEM (Unified Encryption Management) solutions, which centrally manage encryption across an organization and facilitate migration, over time, to a unified, organization-wide encryption structure.
With the ever-increasing use of laptops out of the office, their vulnerability to theft and loss, and the availability of low-cost encryption solutions, now is the time for organizations to take the leap to securing laptops and avoid being laptop losers. By doing so, they protect data about their employees, customers and partners from potential exposure, they meet their regulatory obligations, they avoid the wrath of shareholders - and they could be saving themselves an awful lot of money!
Most organizations experiencing a high profile data loss also add the cost of purchasing an encryption solution onto the high cost of dealing with the loss. If your company would do the same, then ask yourself if there could be any better ROI than choosing an encryption solution up front and preventing the problem in the first place!
The author
Ian Kilpatrick is chairman of Wick Hill Group plc, specialists in secure infrastructure solutions for e-business.