Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Until all users are security-savvy, encryption is a sensible solution

Laptop computers get lost and stolen in almost every imaginable, and some not so imaginable, ways. Following many well-publicized losses of laptop computers and calculating the costs to mitigate an event, encryption is a logical and uncomplicated decision. First and foremost is the appreciation that citizens expect the keepers of their information to exercise every possible effort to keep that data secure. Second is the recognition that the cost of an enterprise laptop encryption project would be far less than even the smallest of data breach events.

So, are add-on encryption software applications really the Holy Grail for mitigating data loss due to loss or theft of laptop computers?

Absolutely not! At best it's a Band-Aid, but it's also a genuine solution that solves the problem for now. There are some new technologies such as embedded disk encryption and vendors who have incorporated encryption technology out of the box that are becoming extremely price competitive. The real problem is users circumventing policy by putting sensitive data on laptops where it doesn't belong and isn't authorized in the first place.

When we first approached this problem, I had the notion of only deploying encryption on laptops that were actually authorized to store and process sensitive and personal information. You smart readers have already seen the flaw in this logic though. It's not the laptops that are already authorized to process and store sensitive information that is the issue. The problem comes from users who don't follow your policy. We've got to convince people that neither the hardware nor the data belongs to them and that they may be jeopardizing the organization in addition to potentially breaking the law.

So what to do? I've always been a big believer in policy because most people are good at heart and will do the right thing. Naive? I don't think so. Typical users simply don't know what is expected or required of them in most cases. We've all heard this one before, but I'm also an advocate of user security awareness training. By creating sound security policy and reinforcing it with security awareness training, you'll create an environment where all employees understand their responsibilities and that they will be held accountable, and potentially liable, for their actions. As Bruce Schneier said, "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

People have always been, and will continue to be, the Achilles heel of information security, but good policy and user awareness fill that gap better than any technology ever will. So until we have a population of security savvy users, encryption is a sensible solution.


30 seconds on...

Cost of a breach 
Costs can vary to rectify a breach, says Mark Weatherford, from $50 per account to notify compromised users, up to $182 per compromised account to resolve the problem, pay the fines, and address liability issues.

Fixed budget 
An event involving 5,000 accounts could cost over $900,000, says Weatherford. That takes quite a bite from a fixed budget, and in a state government, budgets are legislatively approved, sometimes up to two years in advance.

Misallotment of funds 
The Veterans Administration spent millions in postal services alone to notify 26.5 million vets that their data had been lost. That's taxpayer (i.e., your) money, and it's money that doesn't get spent on veteran programs, says Weatherford.

Be prepared
Total costs could eventually top $500 million to prevent and cover potential losses. The $3.7 million contract awarded for deployment of encryption throughout the

VA is trivial compared to these post-facto incident costs.

Mark Weatherford

Mark Weatherford is the Chief Information Security Officer at AlertEnterprise, the Chief Strategy Officer (and a Board member) at the National Cybersecurity Center, and the Founding Partner at Aspen Chartered Consulting, where he provides cybersecurity consulting and advisory services to public and private sector organizations around the world.

Mark has held a variety of executive-level cybersecurity roles including Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, a Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation, and Chief Information Security Officer for the state of Colorado. In 2008 he was appointed by Governor Arnold Schwarzenegger to serve as California’s first Chief Information Security Officer and in 2011 he was appointed by the Obama Administration as the Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security.

Mark is a former naval officer where he served as a cryptologist and was Director of Navy Computer Network Defense Operations, Director of the Navy Computer Incident Response Team (NAVCIRT), and established the Navy’s first operational red team.

He is an investor and on the Advisory Board of several cybersecurity technology companies where he has a very successful track record in helping startups through the M&A process to acquisition.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.