Why are laptops still leaking data?
22 February 2010
We are always seeing a lot of information in the media relating to lost company data of one kind or another. The risk and dangers of data going astray has been called time and time again over the past 10+ years. The whole of the business world knows about it, talks about it, for a week, perhaps two. The risks are then forgotten and everyone carries on with the day to day operations of the business.
It seems that everyone thinks ‘I need to deal with our data security’, time passes on and they just forget about the need for a decent data backup plan, data encryption system, device encryption, data leakage prevention, system auditing, internet controls, etc. The risk doesn’t cause the responsible person immediate pain so it gets pushed onto the back burner, put on the to-do list at some point, stays there for a while, and then drops off.
I still hear (shockingly) people say to me ‘our data isn’t really of any interest to anyone’. This is frustrating, because I’m sure the customer database, financials, pricing and strategy plans would be very interesting to the competition. It is also very likely that the information on a stolen laptop could be used to seriously damage an organisation, or at the very least the individual whose laptop it was.
It does beggar belief how these issues keep happening, even though the risks are old ones (ancient in IT terms). A company will be paranoid in making sure all the windows are locked, the offices are locked and alarmed, but will not secure their company and customer data effectively.
A few points to sharpen your mind:
1. Encryption – If you lose an unencrypted laptop I’m relatively confident your company security as a whole could be breached. If not then a whole host of useful or damaging information could be extracted from it relatively easily. There are a wealth of endpoint encryption products on the market to protect your systems.
2. Mobile devices – The rise of the mobile device, such as the windows based mobile and Blackberry is huge and still growing rapidly. It’s in essence a neat little package to store a whole wealth or confidential information, which can easily be lost or stolen. You should setup remote wiping where possible, basically so that if the device is lost or stolen then it can be wiped remotely. This may not stop data being recovered, so you should also encrypt the device.
3. Backups – Chances are that your backup data, in terms of disks or tapes are unencrypted. They do make a handy little package for taking all the company data in one swoop, often returned without anyone knowing it ever went missing. You should of course also be testing your backup and restore systems regularly.
4. Leakage – So much company data is lost through the email system, web applications, USB devices, CD-burners, etc. If an employee is leaving to join the competition, leaking information, setting up a rival company, most companies will never even realise the data has gone.
There are of course other holes and risks and it all depends on your environment/operations what they are. The stated ones in this short article are common ones that are often overlooked over all sectors; assessing and addressing them will give you improved protection. I would of course always advise regularly assessing and testing your security policy and controls as a matter of course. I found the ISO 27001 framework very useful for continual evaluation and control of risks. It’s obviously a big beast to undertake as it goes much further than data leakage but it’s a great way to get true vision of your environment.