Data Hardly Ever Dies
According to a recent survey, one in every ten laptops will be stolen during its lifetime.
For data thieves, a pilfered laptop is as good as gold. The laptop, software included, will fetch about $1,000 on the black market, chump change for an ambitious crook. The real value of the machine lies in the data stored within.
You see, electronic data does not die – it lives on in removable storage devices, lost or discarded hard drives, on CDs and in e-mail. Think of the information that your corporate executives have stored on their work-issued mobile devices. When you take into consideration the intellectual property, customer lists and financial details, it comes as no surprise that a typical laptop contains data worth between one and five million dollars on the black market.
Finding an interested buyer for this pirated data requires little more than an Internet hookup and a bit of technical savvy. The Web is a virtual bazaar for all manner of illicit products, from mass-market goods to those that are highly specialized. Not only will the thief find a buyer, but the Internet practically guarantees that the parties in this illegal transaction will remain anonymous.
Most of the public attention on the repercussions of data theft has focused on the potential damage to consumers. The Privacy Rights Clearinghouse, which as its name implies, tracks cases of privacy breaches, reported in 2006 that more than 93 million individuals had their personal data exposed as a result of a data breach.
Of equal concern should be the injury suffered to individual organizations in the wake of these breaches. What if the data stored on a stolen laptop was to find its way into the hands of an unscrupulous competitor? How would your company’s customers feel about your organization if you could not adequately protect their personal details? Once lost, corporate reputation is exceedingly difficult to rebuild.
In addition, failing to adequately protect electronic data is against the law in many states. A California law requires that any company or individual doing business in the state must notify any resident whose unencrypted data has been lost or stolen. Similar laws have been signed in more than three dozen other states and federal legislation is pending. Some of these laws carry stiff penalties – as high as $10,000 a day – for failure to notify affected consumers.
Hard disk encryption is an inexpensive and readily available way to protect laptops against thieves. With encryption, organizations can maintain control of electronic records no matter their location. They can be secure in the knowledge that this sensitive information is protected from thieves and available only to company-sanctioned employees.
Leaving your company’s data vulnerable to thieves is unnecessary and potentially illegal. We know that the chaos of a typical travel environment provides data thieves with ample opportunities. Hard disk encryption leaves them empty-handed.
About the SourceWarren Smith is with San Francisco-based GuardianEdge Technologies (www.guardianedge.com). He can be reached via email at firstname.lastname@example.org. The U.S. Department of Veterans Affairs (VA) recently selected his firm’s encryption product after a laptop theft threatened the privacy of some 26.5 million veterans.
SIDEBAR 1: Put that Data in a VaultLike many organizations, UNICCO Service Company, one of the country's largest facilities services firms, has become increasingly reliant on laptop computers and mobile storage devices. As a result, the Boston-based company needed to take steps to secure its data on thousands of devices so that the information would be secure even in the event of theft or loss. To solve this problem, UNICCO turned to a vault approach (Rocket Software's Mobile Security Suite), which creates computer-based lockboxes that can be accessed by authorized users but are invisible to everyone else.
"One of the reasons we chose (this approach) is that all of the protection features can be centrally managed," said Bill Jenkins, senior IT director at UNICCO. "More than 70 percent of our workforce is mobile, meaning that they are frequently taking their computers out of the office. Every person that has a laptop in the company may also have a memory stick, so that's also a crucial area of interest for us. Obviously there is a huge potential for loss, so we are committed to protecting that information as well as data stored on laptop computers."
Think Beyond the Laptop ‘Box’Enterprise security is a growing concern in today’s ultra-mobile business world; yet the focus has been primarily on laptops as the mobile extension of office PCs.
The fact is, mobile devices are quickly replacing even the laptop as the corporate PC is on the move. Be it a BlackBerry, Treo or other smartphone, these devices – complete with e-mail, office productivity, Internet and even mobile commerce applications – are today’s equivalent of yesterday’s PCs. What that means for security is that the de facto standard for computers has now become of critical importance for mobile devices.
Though the impact of a major mobile attack has not yet been realized, there have been enough hints of things to come to warrant taking a closer look at protecting these devices – and the corporate networks to which they are tied. A recent hacker conference spotlighted “BBProxy,” a BlackBerry security tool armed with a major vulnerability: the ability to open an entry point to a BlackBerry from an unrelated external source, such as a laptop – and from there, directly into the enterprise network to which that BlackBerry is connected. Similar exploits could occur via the now-popular Bluetooth wireless standard, particularly in crowded areas such as airports.
The worst-case scenario of this particular threat is that it can open access to all of the resources to which the infected device has access. In today’s corporate setting, this typically means e-mail, which is the number one function for BlackBerrys and similar devices. We have already seen the damage that PC-based viruses can do by creating a vector of attack into the enterprise e-mail system, whether it’s accessing a company’s e-mail servers or sending out mass e-mail attacks with worms or viruses. If the device has access to more than just e-mail – such as database systems and other proprietary file systems with customer information, passwords, and other sensitive data, the potential for corruption and theft is even greater.
But let’s dial back from the worst-case scenario and think about even the most benign impact such as vulnerability can have: the device being rendered useless. It’s an on-demand type of world in mobile. It’s all about getting e-mails, making calls and accessing files right now, in real time. The moment that access is interrupted, productivity is lost – for the user and for the business itself.
The basic need for productivity is also the reason that security measures must be instituted at the handset level, rather than simply at the network itself. Smartphones have exploded in popularity because they offer total productivity on-the-go. Security measures instituted at the corporate network level, such as restricting or limiting Internet access or downloading capabilities, limit that productivity – and ultimately, the investment in the device. The key to maintaining full functionality is to install anti-virus, message filtering and other protective software directly on the device itself, just as you would on an individual PC. Unlike PC security software, however, mobile security software must carry an extremely light footprint, and should have little to no impact on device performance. Look for software from vendors with specific experience in the mobile security space to avoid made-for-PC solutions that have been “retrofitted” for mobile phones.
The data on the device itself should also be protected in various ways. Here are five action items, which again borrow from the framework of PC security:
- Encrypt the data to ensure that unauthorized users cannot access the data even if the device is in their possession.
- Implement a remote lockdown or erase capability that can be issued as a command from the network server in the event that a device is lost or stolen.
- Set up a remote backup server to frequently sync with the device and store data that might otherwise be lost if the device goes missing, or its operating system crashes.
- Institute access control and identity protection measures (passwords, etc.) for sensitive files or applications.
- Install a firewall on the mobile device to block unauthorized access to the device, its data, and its network connections.
About the SourceGeorge Tuvell, CEO of SMobile Systems, works directly with leading wireless carriers, device manufacturers and enterprises around the world to identify and address mobile security concerns. Contact George at email@example.com or visit www.smobilesystems.com.
SIDEBAR 2: Protect those PortsMany chief security executives know that office computers can have “legs” or are vulnerable to “leakage.” That’s why physical anti-theft security products for laptop and desktop computers and peripherals play a significant security role. Enterprise level businesses use them; colleges, universities and healthcare facilities use them.
At the same time, office equipment is getting more sophisticated with read/write CD and DVD burners and USB ports that accommodate flash drives and even hand-sized external hard drives.