Why are laptops still leaking data?

/ Security
February 22nd, 2010

IT security - Why are laptops still leaking data?

We constantly see reports of lost company data in the media. The risk of data going astray has been called time and time again over the past 10+ years. The whole of the business world knows about it. They talk about it for a week or so, but it gets forgotten again.

It seems that everyone thinks ‘I need to deal with our data security”. Time passes on and the necessity of a decent data backup plan, data encryption system, device encryption, data leakage prevention, system auditing, internet controls, etc. somehow slips from their mind. The risk doesn’t cause the responsible person immediate pain so it gets pushed to the back burner. Or gets put on the to-do list at some point, stays there for a while, and then drops off.

Shockingly, people still say to me, “our data isn’t really of any interest to anyone”. This is frustrating because I’m sure the customer database, financials, pricing and strategy plans would be very interesting for the competition. Alternatively, someone could use the data on a stolen laptop to seriously damage an organisation or, at the very least, the owner of that laptop.

It does beggar belief how these issues keep happening, even though the risks are old ones. A company is paranoid about securing its physical premises, but it won’t protect its data effectively.

How to secure your laptops and mobile devices

1. Encryption

I’m relatively confident that if you were to lose an unencrypted laptop, you would suffer a breach of your whole company security. Or, someone could extract a whole host of useful or damaging information with relative ease. There are a wealth of endpoint encryption products on the market to protect your systems.

2. Mobile devices

The rise of mobile devices, such as the windows based mobile and Blackberry, is huge and still growing rapidly. It’s essentially a neat little package full of confidential information, which can easily be lost or stolen. You should set up remote wiping where possible. Then if someone loses a device, for example, you can wipe it remotely. However, this does not guarantee that someone would not be able to recover the data, so you should also encrypt the device.

3. Backups

Chances are that your backup data, in terms of disks or tapes are unencrypted. They do make a handy little package for taking all the company data in one swoop. Then often returned without anyone knowing it ever went missing. You should of course also be testing your backup and restore systems regularly.

4. Leakage

So much company data is lost through the email system, web applications, USB devices, CD-burners, etc. If an employee is leaving to join the competition, leaking information, setting up a rival company, most companies will never even realise the data has gone.

There are of course other holes and risks and it all depends on your environment/operations what they are. Although the areas in this article are common, businesses of types continue to overlook them. Assessing and addressing them will give you improved protection.

I would of course always advise regularly assessing and testing your security policy and controls as a matter of course. I found the ISO 27001 framework very useful for continual evaluation and control of risks. It’s obviously a big beast to undertake as it goes much further than data leakage but it’s a great way to get a true vision of your environment.