In the first of our new series, Hot or Not, Peter S. Tippett explores whether laptop threats are a serious threat, or just media hype.
What is it?In the first two weeks of June, news sources reported more than a dozen separate instances of personal information loss. In all cases, the information was being carried on laptop computers that were then lost or stolen, potentially exposing the personal information of hundreds of thousands of individuals. This included medical information, addresses, phone numbers, Social Security numbers, credit and bank account information and — in one instance — fingerprint data.
How does it work?
As the available disk space on portable computers and personal devices continues to expand along with processing power, employees can now download large amounts of data to these devices to perform tasks while disconnected from the organization's network. If this data contains personally identifying information (PII), it exposes this information in the event the device is lost or stolen. In all reported cases, the computers had no data protection, and in many of the cases, the person who downloaded the information did so without authorization and outside of the policies of the organization.
Should I be worried?
Yes. Every organization that deals with PII should be concerned about proper protection and potential loss wherever the data resides. This concern is not only on behalf of the individuals themselves who may become victims of identify theft, but also on behalf of the enterprise and the risk of government penalties, lawsuits, and other corporate image disasters.
How can I prevent it?
Prevention falls into the familiar security areas of policies, procedures and mechanisms. It is as easy to go overboard as it is to provide too little protection. Privacy policies should dictate what kinds of data may and may not leave physical and network security boundaries and how personal information is stored, protected and destroyed. Access logs, questionnaires and automated audits may be used to monitor and correct user behavior. Procedures should separate PII from other general user population information. The enterprise should employ hard disk passwords, disk encryption or file encryption for computers that must contain PII. In addition to the built-in (but not automatically enabled) file system encryption that PCs (EFS) and Macs have, there are other hard-drive encryption solutions on the market. Additionally, developers or programmers should not work with live data. There should be a current enterprise incident response plan to cover the possibility of loss or leakage of PII, and how to react if the worst happens. You should pre-select a security partner experienced in pragmatic advice, investigation and forensics both to help get the preventative balance right, and to be able to react quickly if events unfold.
Peter S. Tippett is CTO of Cybertrust and chief scientist for ICSA Labs.
