COMMENT
Worried about sensitive data on portable devices? Quocirca's Fran Howarth explains how to make sure it's safe and sound.
According to the FBI, two million laptops were stolen in the US alone in 2007 - equivalent to one loss every 15 seconds. Research from data clearing house Data Loss DB shows that, of data breaches made public in 2008, 32 per cent resulted from the loss or theft of laptops, mobile phones or other portable media and storage devices.
Some of those losses can be attributed to the carelessness of the owner of the device - stories abound of laptops left in taxis and USB sticks found in car parks or launderettes. Mobile devices are also attractive targets for thieves.
Such losses can cost businesses dearly. If devices fall into the wrong hands, the information they contain can be used for nefarious purposes - unless it has been protected.
Personal information about employees or customers can be used by criminals for identity theft. Other information such as intellectual property and financial records is equally prized.
The stakes are even higher if the organisation is subject to regulation. Some regulators demand that when data losses concerning information that could be used to identify individuals occur, the organisation responsible for the loss must notify the individuals concerned.
Obviously the answer is not to prohibit the use of all mobile devices. Instead: protect your sensitive data.
This can take many forms, from identity management and data loss prevention (DLP) tools to full-disk encryption.
Identity and access management technologies tie a user's access rights to the permissions they have been granted so that the use of confidential information can be more tightly controlled. For example, a marketing employee can be prevented from having access to the financial records of the company.
DLP tools enable organisations to detect and prevent the unauthorised use and transmission of confidential information, whether deliberately or inadvertently.
When it comes to protecting data on portable devices, DLP tools can help prevent sensitive information from being copied onto such devices in the first place and control how the information is used, such as prohibiting it from being printed or emailed.
While these technologies are useful, the lost or stolen data could still be read. To ensure information on portable devices is truly secure, it must be fully encrypted.
By using full-disk encryption for laptops, mobile phones and other forms of portable media, almost everything on the disk is rendered unreadable, including file names, temporary files, boot sectors and the swap space, with the exception of the master boot record, which must be left unencrypted in order for the drive to start up.
Full-disk encryption is especially important to prevent data loss as unencrypted sectors of disks can reveal confidential information, such as temporary files. Also, full-disk encryption ensures that users cannot bypass the system - files have to be saved encrypted, as there is nowhere on the disk to save anything unencrypted.
Full-disk encryption will not solve all data security woes but it provides strong levels of protection for information held on portable devices and should be considered best practice for all devices used to store data outside of the office.
Its use can help shield organisations from potential fines and reputational risks should devices be lost or stolen, and it helps organisations achieve compliance with privacy and data protection regulations. Organisations can therefore have more confidence in exploiting the benefits of remote and mobile working.
Quocirca's freely available recent report Removing the complexity from information protection, commissioned by WinMagic, explores the options available to organisations looking to improve the security of information stored on portable devices.
It discusses the options available, including new services available in the cloud, and provides organisations with recommendations as to what they should look for when extending their data protection controls to data on devices that are all too easily lost or stolen.
A leading user-facing analyst house known for its focus on the big picture, Quocirca is made up of a team of experts in technology and its business implications. The team includes Clive Longbottom, Bob Tarzey, Rob Bamforth, Louella Fernandes, Fran Howarth and Simon Perry. Their series of columns for silicon.com seeks to demystify the latest jargon and business thinking. For a full summary of the consultancy's activities, see www.quocirca.com.
