NEWS
Despite rising levels of laptop theft and high-profile instances of data loss, businesses are failing to understand the need to encrypt their hard drives or better protect sensitive data.
Research conducted by silicon.com has found worrying levels of insecurity where it comes to laptops, with 63 per cent of respondents saying their company does not encrypt the data on their laptops. Furthermore, 67 per cent of respondents said their companies do not provide laptop locks to reduce the risk of opportunist theft.
Just 18 per cent of respondents are equipped with encrypted laptops and locks while almost half (48 per cent) are equipped with neither. (Take our latest two-second poll on laptop security.)
Bruce Schneier, CTO of BT Counterpane, told silicon.com too few businesses understand the need to secure the data held on laptops.
Schneier said: "It's really simple. Encrypt, encrypt, encrypt. Encryption is the solution."
He added: "The other solution is don't put things on your laptop."
That idea certainly fits with the kind of best-practice espoused by Citrix, which uses laptops as more of a dumb terminal to access sensitive information via a browser and VPN.
Kurt Roemer, chief security officer at Citrix, told silicon.com greater mobility need not mean less security, adding that businesses simply do not need to carry sensitive data on laptops.
As such Citrix encourages users to secure data centrally and use the laptop as a dumb terminal, accessing it securely over a VPN and saving nothing locally. As human error means users cannot be trusted not to lose a laptop and the threat of theft is ever-present, it is better, Roemer argued, to ensure no sensitive data is held on the laptop.
However, Stuart Okin, UK head of security at Accenture, said that approach isn't right for everybody and in businesses reliant upon distributed networks of partners it can prove impractical.
Okin said: "From a compliance point of view of course there is critical data you must show you are protecting. However, data wants to be free."
As such Okin said businesses must take the encryption approach and then allow encrypted data to travel with employees and business partners. However, companies should also be aware, he added, that their exposure could stretch well beyond the laptops they provide to staff.
He said: "Businesses can control the enterprise device because they own it and they can get hold of it," but warned lost laptops may occasionally belong to employees who used them to do some work at weekends.
Businesses must therefore also guard against what data can be transferred onto any device and Okin said business rights management is essential. Working more closely with business partners to ensure they use encrypted devices - even if this means supplying the devices - is also essential, he added.
Comments
There are 3 comments. Join the discussion
1. anonymous
What a wonderful illustration that bears on many of the "security" and "control" issues that are regularly aired here. It's the old 80/20 rule writ large. Simple and relatively none intrusive actions would reduce risk massively. The same is true in many other areas. (I'll lay a bet that a similar survey of whether systems apply, or not, simple, sensible password rules would produce very similar results!) To get risk down to acceptable levels we do not need deeply refined and heavily controlling practices - we just need to apply common sense good practice consistently.
People like Citrix (massive self interest obvious) and lots of security consultants will continue to peddle costly "solutions" that that are overkill. If the risk of harm from the loss of a locked, encrypted, laptop is, say 1 in 1,000,000 (probably rather less in fact) then implementing, let's say, Citrix as well, whilst, for prudence' sake also locking and encrypting laptops, would improve it to what? And would that improvement, be REALLY worth the effort? And cost ?? extra for ever and a day?
Let's have more applied common sense, less high-techno enthusiasm and less hysteria!
2. Jeremy Robinson
It is a criminal offence to let personal data be stolen, surely, under the Data Protection Act.
Personnel and customer data should not be allowed out of a secure environment without encryption, and only then the data that is really needed.
Recent lapses of laptop data security are not accceptable and companies shold be fined heavily so that the board directors are aware of their responsibilitiesand act BEFORE the event.
3. Sarah
I totally agree that encryption is the best option for laptops.
However, in the same way that we see articles about simple passwords being the weakest link in IT security, how long will it be before we hear about a laptop that is stolen which does have its data encrypted but that the keys to decrypt it are in the same case as the laptop!
We need to think about the bigger picture here and attitudes towards personal security in the same way that individuals look after their cash and credit cards and would not write their PIN numbers on their cards.
That and employees being held responsible for the loss of company property and also to understand what the true impact of loss of data would be to an organization.
We also need to look at the best way to secure data as is the case in an enterprise and desktop environment too.