News of stolen laptops that contain highly sensitive information surrounds us. Consider, for a moment, your organization and the data that resides on its laptops. Is there customer information, intellectual property, financial plans or other sensitive data? If your organization had a missing laptop would it become a news headline?
A single data loss can be devastating to a company. This can damage the company’s reputation, in addition to costing the company millions of dollars. Such a breach can result in compliance violations on the federal and state level. On the federal level there are several disclosure laws already in place:
- HIPAA (Health Insurance Portability and Accountability Act)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Management Act)
- FACTA (Fair and Accurate Credit Transactions Act)
- OMB Memo (M06-16)
According to analyst firm IDC, as much as 60 percent of corporate data resides unprotected on desktop and laptop computers. With that concentration of data, the organization must take precautionary steps to protect this sensitive information. Several solutions are available to protect the organization.
Full disk encryption can help meet compliance requirements, but does not necessarily eliminate risk. Full disk encryption is transparent to the user, but can fail due to human error. It stops short of being a comprehensive solution if an unauthorized user gains access to the authentication credentials; should the user’s password be compromised the data can instantly be decrypted and vulnerable.
Consider the internal risks. If a user becomes unauthorized (contractor term expires, employee resigns, employee is terminated) but has possession of the computer, encryption will again provide no protection. For encryption to be effective the thief must not have the ability to input the correct password.
Data destruction is an emerging solution for the CIO to consider. The concept of data destruction is data on the computer is more important than the hardware, and the organization must ensure the data is destroyed with certainty and verification. Once an organization has determined the computer is unable to be recovered physically, the company can ensure the data can not be accessed. By combining encryption with data destruction Beachhead Solutions‘ Lost Data Destruction (LDD) offers a final step.
LDD works through client/host communication. Should a computer go missing, the administrator marks the computer as unrecoverable. The next time the computer obtains a network connection and checks in the computer will be notified of the status change and will begin the self destruction sequence. This process is straightforward, but is dependent on the computer obtaining a network connection. There are additional triggers that can be put into place should the laptop not connect to the Internet. Such triggers are based on administrator-created preset rules including, number of unsuccessful login attempts and maximum time allowed between client/host communication events. The customizable rules allow for data destruction of a particular file, folder or the entire PC.
Jeff Rubin, Beachhead Solutions vice president, says, “Users make poor security guards. Requiring users to deploy or manage security is ineffective and exposes vulnerabilities because personal productivity often trumps policy compliance.” Rubin adds, “Data destruction, as employed in LDD, allows users to make “mistakes” without circumventing security. And once the data is destroyed, an organization can enjoy the piece of mind that comes with certainty.”
Backup and Recovery
When data is destroyed it is unrecoverable even if the hardware is located. When considering data destruction, the CIO should also consider backup as part of a comprehensive solution. Backup can occur in various forms, both as in-house solutions and externally. By backing up data the user will be able to quickly recover by restoring the files to new hardware.
The topic of data destruction is where convenience meets compliance and where security meets control. As more stolen laptops become news headlines, CIOs must continue to examine how their organization can balance risk without sacrificing productivity. Compliance is the legal guidelines an organization must adhere to. Mobile security does not stop at being compliant, but rather at being effective and solving the security dilemma to the organization’s standards and customer’s expectations.