By Joseph Ansanelli, Vontu, Inc.
Laptops have enabled us to work whenever and wherever we choose, greatly enhancing our productivity, but they also put huge volumes of confidential data at risk. When a laptop is lost or stolen, its resale value no longer depends on value of the hardware. It is all about the data.
In 2005, laptop theft alone accounted for 33 percent of reported data breach events, according to the Privacy Rights Clearinghouse. Laptops often contain corporate information, customer data and intellectual property, which, if unprotected, could undermine competitive advantage or force the organization to publicly acknowledge the possibility of a data breach, as in the case of the VA and many others. Such incidents may result in millions of dollars in customer notification costs, noncompliance fines, possible federal and class action lawsuits as well as brand damage.
According to a recent study by the Ponemon Institute, the average cost of a consumer data breach is $182 per record. Ponemon analyzed 31 different incidents, with total costs for each ranging from $226,000 to more than $22 million. Typical costs include legal, investigative, administrative expense, as well as stock performance, customer defections, opportunity loss, reputation management and costs associated with customer support such as informational hotlines and credit monitoring subscriptions.
In another recent Ponemon survey of nearly 500 IT security professionals, entitled “Data at Risk,” 81 percent of respondents reported the loss of one or more laptop computers containing sensitive information during the previous 12 months. When asked how long it would take to determine what actual sensitive data was on a lost or stolen laptop, the most frequent answer was “never.” (See more coverage of this report in CIO.com’s sister publication CSOonline.com.)
In today’s mobile business environment, the protection of confidential data on laptops has become a top priority both for corporations and government agencies. To reduce the risk and impact of data loss, organizations must proactively secure confidential data before the laptop is stolen or goes missing, and be prepared to respond immediately when a theft does occur.
Following are three best practice steps that can significantly reduce your risk of confidential data loss and streamline remediation in the unfortunate event of laptop theft or loss.
Step 1: Design and Implement Comprehensive Laptop Security Policies The first and most important step is to review and strengthen your security and privacy policies to include provisions for laptops. A strong security policy reduces your risk of a breach and enables you to manage remediation efforts efficiently. There is no silver bullet solution that addresses every organization’s requirements to safeguard confidential data on laptops, but you can tailor comprehensive security policies to the unique needs of your organization. A comprehensive security plan should include:
- Well-defined policies that govern the way confidential data is accessed, managed and transported
- Extended security policies to include business partners, vendors, outsourcers and consultants
- Periodic risk assessments to identify areas of risk and quantify the impact of potential breaches
- Employee awareness and education, which includes communication of penalties for employee noncompliance, workforce training in basic security techniques and real-time alerts that inform employees as soon as a policy is compromised
- Encryption technologies that secure confidential data on laptops and make access nearly impossible without the appropriate credentials
- Physical security solutions such as key fobs and biometric finger scanners that create additional layers of protection
- Data loss prevention software that discovers exposed confidential data on laptops and protects the data itself by automatically enforcing policies through quarantine and encryption
- Thorough response and recovery procedures to determine severity and escalation and include such good faith gestures as paying for a year of credit- and fraud-monitoring services for affected customers.
Step 2: Reduce Confidential Data Stored on Laptops
A second critical step to mitigate your risk is to proactively reduce the amount of confidential data on the laptops in your organization. Until recently, this action would have required continuous worker education by the organization so that each employee was cognizant of data security policies and exercised constant vigilance so as never to leave unsecured data on their hard drives. But even for the most attentive employees, the form of self-managed policy is simply not an effective method of risk reduction.
Technologies such as data loss prevention solutions are used to scan desktops, laptops and servers to identify unsecured confidential data—including customer information and intellectual property. Then they can automatically quarantine or relocate the information according to policy to reduce the amount of confidential information exposed to loss or theft.
Many organizations have turned to full disk encryption as a preventive measure. While encryption is a key technology to safeguard mobile data, the challenge is how to prioritize laptops for encryption. Without prioritization, encryption efforts would not be focused on the highest risk machines and would be extremely time consuming to implement. Organizations need to first build a prioritization queue based on insight into exactly where the most confidential data is stored. This can be done through a scan to tell you which laptops have the highest amount of confidential data so encryption can be applied to these machines first.
Step 3: Quickly Scope the Impact of Exposed Confidential Data and Accurately Assess Risk
One of the biggest challenges information security teams face is how to quickly and accurately determine what confidential data resides on a missing or stolen laptop. The unscientific approach usually involves numerous employee interviews, searches of e-mail and backup archives, manual reconstruction and speculative forensic analysis of what was potentially lost on the laptop. The process is largely manual, can take days or weeks and, in the end, delivers uncertain results.
Data loss prevention solutions provide quick and accurate insight into data on stolen or missing laptops by automatically scanning e-mail archives and disk backup files to accurately identify confidential data based on data security policies. You should be able to gain insight into:
- What specific intellectual property (e.g., source code, design documents, etc.) was on the laptop, and was it encrypted or unencrypted? This determines what level of action may be required.
- How many individual customer records were on the laptop? Depending on whether there are 70, 7,000 or 700,000 records, entirely different courses of action will be required.
- What specific data types (e.g., Social Security numbers, credit information, etc.) were exposed? The answer will determine whether federal or state regulations may have been violated and if notification may be required.
- Was the data encrypted? This is a key factor in determining potential risk. It is important to note that some state regulations require that you notify customers even if the data was encrypted.
Laptop data protection is a growing and complex challenge. You need to be proactive in designing and implementing comprehensive laptop security policies and reducing the amount of confidential data stored on laptops. You should also be prepared to respond immediately in the case of a theft by quickly scoping the impact of exposed confidential data and accurately assessing the risk.
If you are struggling with this problem, you are not alone. Every large organization faces this challenge today. The good news is that data loss prevention is quickly becoming a strategic component in enterprise security, helping companies prepare and respond, and ultimately minimize the risk of exposure to due a laptop theft or loss.
Joseph Ansanelli, CEO of Vontu, Inc., is a well-known expert in the data security field who has testified before the U.S. Congress on pending legislation to protect consumer data.