Laptop computers get lost and stolen in almost every imaginable, and some not so imaginable, ways. Following many well-publicized losses of laptop computers and calculating the costs to mitigate an event, encryption is a logical and uncomplicated decision. First and foremost is the appreciation that citizens expect the keepers of their information to exercise every possible effort to keep that data secure. Second is the recognition that the cost of an enterprise laptop encryption project would be far less than even the smallest of data breach events.
So, are add-on encryption software applications really the Holy Grail for mitigating data loss due to loss or theft of laptop computers?
Absolutely not! At best it’s a Band-Aid, but it’s also a genuine solution that solves the problem for now. There are some new technologies such as embedded disk encryption and vendors who have incorporated encryption technology out of the box that are becoming extremely price competitive. The real problem is users circumventing policy by putting sensitive data on laptops where it doesn’t belong and isn’t authorized in the first place.
When we first approached this problem, I had the notion of only deploying encryption on laptops that were actually authorized to store and process sensitive and personal information. You smart readers have already seen the flaw in this logic though. It’s not the laptops that are already authorized to process and store sensitive information that is the issue. The problem comes from users who don’t follow your policy. We’ve got to convince people that neither the hardware nor the data belongs to them and that they may be jeopardizing the organization in addition to potentially breaking the law.
So what to do? I’ve always been a big believer in policy because most people are good at heart and will do the right thing. Naive? I don’t think so. Typical users simply don’t know what is expected or required of them in most cases. We’ve all heard this one before, but I’m also an advocate of user security awareness training. By creating sound security policy and reinforcing it with security awareness training, you’ll create an environment where all employees understand their responsibilities and that they will be held accountable, and potentially liable, for their actions. As Bruce Schneier said, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
People have always been, and will continue to be, the Achilles heel of information security, but good policy and user awareness fill that gap better than any technology ever will. So until we have a population of security savvy users, encryption is a sensible solution.
30 seconds on…
Cost of a breach
Costs can vary to rectify a breach, says Mark Weatherford, from $50 per account to notify compromised users, up to $182 per compromised account to resolve the problem, pay the fines, and address liability issues.
An event involving 5,000 accounts could cost over $900,000, says Weatherford. That takes quite a bite from a fixed budget, and in a state government, budgets are legislatively approved, sometimes up to two years in advance.
Misallotment of funds
The Veterans Administration spent millions in postal services alone to notify 26.5 million vets that their data had been lost. That’s taxpayer (i.e., your) money, and it’s money that doesn’t get spent on veteran programs, says Weatherford.
Total costs could eventually top $500 million to prevent and cover potential losses. The $3.7 million contract awarded for deployment of encryption throughout the
VA is trivial compared to these post-facto incident costs.