2006 will be recorded as the year that security breaches reached the consciousness and awareness of the mainstream consumer. Breaches are certainly not a new phenomena, especially to security professionals. Although events in 2005 all made the headlines, such as the ChoicePoint identification theft that affected 163,000 records, the stolen laptop at the University of California, Berkeley, with more than 98,000 records, and the Boeing stolen laptop with Social Security numbers and bank account information of 161,000 people, the data breach incidents in 2006 occurred at an astounding, costly rate and gained much more media attention.
The Privacy Rights Clearinghouse, a highly respected nonprofit consumer organization, concluded that since the ChoicePoint theft in February 2005, more than 97 million records containing personal information have been involved in security breaches of some sort involving hackers, dishonest insiders, lost backup tapes, and stolen laptops. I spend a great deal of time meeting with organizations of all sizes and industries, imploring them to take a comprehensive, holistic approach to protecting their data because the technology does exist. This article will focus on one important area of data protection - the stolen laptop.
A recent report by The Ponemon Institute showed that 81 percent of U.S. companies surveyed reported the loss of one or more laptop computers containing sensitive information during the previous 12 months. Clearly, we have a significant problem. Mobile computing and distributed remote offices can boost productivity, but they also represent a significant risk for enterprises. Security breaches due to stolen and/or lost laptops are unfortunate tales that can have a happy ending (or at least non-business disruptive resolution), thanks to whole disk encryption software.
Take a look at just five of the reported stolen laptop incidents from this year:
· Metropolitan State College of Denver, Colorado - stolen laptops with names and Social Security numbers of students from 1996-2005: 93,000 records
· Fidelity Investments - stolen laptop with information of Hewlett-Packard, Compaq, and DEC employee retirement accounts: 196,000 records
· YMCA - stolen laptop with credit card and checking account information and names, addresses, and medical information of children in the program: 65,000 records
· U.S. Dept. of Transportation - a special agent's laptop was stolen with personally identifiable information for 80,000 Miami-Dade County residents, 42,000 Florida residents who hold FAA pilot certificates, and 9,000 other Florida residents: 132,470 records
· Mercantile Potomac Bank - laptop with confidential customer information was stolen when a bank employee removed it from the bank's premises, in violation of policy: 48,000 records
What jumps out from this list is that no industry is more prepared than any other when it comes to security breaches. In fact, consider this breakdown of breaches from 2006:
· 31 percent occurred at government or military agencies
· 30 percent involved educational institutions
· 19 percent took place at "general business" organizations
· 11 percent affected health care facilities or companies
· 9 percent involved banking, credit, or financial services institutions
The resulting breaches of customer data, employee records, or patient information not only compromise individual privacy and business confidentiality, but may result in significant financial repercussions. Organizations faced with a breach may be compelled by law to notify customers or take other actions that result in lost business, increased call centre activity, additional no-cost services, and legal defense expenses that can easily amount to millions of dollars. Additional Ponemon Institute research showed that even a small breach of 2,500 records can result in $1 million of immediate direct costs for the affected organization, and a significant breach compromising 150,000 customer records can result in more than $10 million in immediate direct costs. The long-term effects of lost business, a tarnished reputation, brand equity damage, and resulting legal expenses dwarf the immediate costs resulting from a breach.
Fortunately, again, technology is readily available to help companies avert these unnecessary breaches: full disk encryption solutions, which enable organizations to lock down all data stored on laptops and desktops. Using this software, even the operating system cannot boot or resume from hibernation without a successful authentication. This capability ensures identity and information thieves are thwarted immediately. And because all data is encrypted transparently, full disk encryption does not affect end-user productivity.
Hopefully by now, you've determined your organization is ready to deploy a full disk encryption solution across your enterprise. If so, here are some best practices to consider:
· Deploy non-intrusive software: Avoid software that replaces critical Windows system files, such as the Microsoft GINA (Graphical Identification and Authentication). Proprietary code increases the risk of system failure and incompatibility with important operating system security updates and patches.
· Enforce strong passwords: Select a solution that can leverage existing domain password requirements. This approach reduces administrative efforts and provides consistent enforcement of policies across the organization.
· Create policy based on an assessment of risks and threats: Single sign-on is convenient for users, but may not be appropriate for all use cases. Consider which users or systems require additional levels of security, such as two-factor pre-boot authentication, and apply security policy, as necessary.
· Consider future projects: Will the solution scale and expand to meet not only current security requirements, but also the requirements for future encryption projects?
· Educate users: Take the time to educate end users and management on the threats to the business and the ways solutions such as full disk encryption are protecting the company and its customers.
Beyond full disk encryption, the solution should provide options for protecting USB flash drives, files stored on shared systems, and files and directory archives shared with others. It should also allow for central management so administrators and help desk staff can easily support remote users.
Full disk encryption solutions can provide your organization with strong security for intellectual property, customer and partner data, and corporate brand equity, helping you elude the spotlight of the next widely publicized security breach.
- Phillip M. Dunkelberger is the president and chief executive officer for PGP Corporation.