Where did your data go?
A civilian employee of a police department disables warehouse security cameras and steals backup tapes putting identity numbers and the direct-deposit information of 80,000 cops at risk; a leading data broker turns off an electronic security tool that exposes the personal information of more than 13,000 people and brings the company a $275, 000 fine from the US Federal Trade Commission. These are not just nightmare scenarios but recent reports of actual crimes and penalties added regularly to an ongoing data breach chronology posted by the Privacy Rights Clearinghouse.
Encryption, which has long been a fundamental part of electronic security, turns ordinary text into unreadable patterns (ciphertext) to protect against unauthorized viewing and use. The receiver of encrypted text uses a “key” to return it to its original plain text form.
“The loss and theft of laptops are the leading cause of data breach,” says Tim Matthews, senior director of product marketing at PGP Corporation, which offers a range of data protection technologies. “It’s conceivable that passwords and building codes could reside on stolen machines and lead to compromises in physical building security.”
But encryption is just one layer in an overall data security plan, observes Ashley Richards, corporate communications manager at Absolute Software. “It won’t protect an organization against the person who writes down their password on a Post-It note and sticks it on the laptop. Using an IT tracking and management solution can help you know where your computers are and who is using them, as well as getting alerts on suspicious activity on them, such as the installation of unauthorized software.”
Encryption strategy needed
A new series of reports by the Ponemon Institute, a privacy management research center, examines the use of data encryption based on surveys conducted with IT and business managers in five countries. 85% of the respondents from the US, 80 % from the UK, 69% from Australia, 67% from France, and 53% of those surveyed from Germany reported at least one breach in the last year (of course, many breaches go unreported). Overall, Ponemon researchers discovered a common, growing need for more robust encryption, with the majority of companies now having some type of encryption strategy in place.
Although any given data breach can result in different combined costs—such as lost customers, the process of notifying customers and increasingly, government regulators empowered to levy staggering fines—organizations pay an average of £1.7 million per breach in the UK and $6.6 million per breach in the US. So even one breach could be a considerable blow to a company’s security budget.
Besides wanting to protect against ordinary criminal activity, respondents from all countries surveyed also shared a concern with the “risk of highly valuable customer data walking out the door with disgruntled employees in the current economic downturn.” Adds PGP’s Matthews: “Just as security professionals install locks and alarms to prevent break-ins, they should consider “data locks,” i.e., encryption, for their sensitive information that leaves the building every day in the briefcases or pockets of employees.
“It’s becoming equally important to also understand how business partners protect that same data,” Matthews continues, citing the Ponemon statistic that over 40% of all data breaches are caused by a third-party partner or supplier such as payroll or benefits processing. “Even if a third-party supplier is to blame, the company itself may be liable for breach costs and lose significant business.”
Protecting mobile information
According to the Ponemon studies, the need to encrypt data on employees’ mobile devices is also increasing. Observes Matthews about rising technology like smartphones and cloud computing: “They both extend the purview of IT security by increasing the potential exposure of the data. Smartphone users can access and transfer sensitive documents on the go, which is convenient, but these devices are even more easily lost or stolen than laptops. And now not only does IT security have to be concerned with their own servers and client devices, but cloud computing extends the data to cloud vendors who are hosting applications and data storage at facilities located around the globe. Encryption ensures that the data is encrypted no matter where it may be. Cloud providers are a good example of organizations that have concentrations of confidential data and require a combination of physical access security and strong encryption for data protection.”
And when it comes to encrypting data that is either in use, at rest, or in motion, whether onsite or remotely, many countries are trending toward the choice of the platform approach. Benefits cited for choosing the platform approach (over methods that combines various silo software or hardware options) include lower costs for acquiring, the ability to centrally deploy and manage encryption applications, eliminating redundant administrative tasks, and the ability to add future applications.
Richards from Absolute Software reminds us that it is still important to keep the human element in mind when it comes to the whys and hows of data breaches. “Those in physical security should still train staff to recognize what situations, motivations and behaviors can lead to unauthorized people obtaining access to a location in order to steal or access computers.”
Ponemon has developed a Security Effectiveness Score, based on 24 attributes for best practices, of which four seem especially key for those protecting physical access to keep in mind as takeaways: know the physical location of sensitive or confidential information; limit the physical access to storage devices containing such information; keep up with privacy and regulatory requirements that impinge on physical security and urge your organization to comply before a breach; and, know the endpoints of your company’s network to better secure them as they will inevitably expand with new options in virtualization for employees, customers and business partners.