Aren’t laptops great?! They’re small and easy to handle. You can take them anywhere, and they’re fast and powerful enough to do just about anything you want! And how about the other, even more convenient portable devices like PDAs and Internet capable cell phones? Fantastic! You can download files, email people wirelessly, get your work done while waiting to tee off at the golf course, all kinds of wonderful things. But from a business information security standpoint, they are D A N G E R O U S!!!
Now, you might say to me: “But I have a personal firewall and regularly updated anti-virus software on my laptop. I’m very careful about what I upload and download onto it – nothing but approved corporate software applications. And when I communicate business matters on my laptop, I establish my connection securely and use a tunneling transmission protocol that’s strongly encrypted from end to end. You aren’t talking to ME!” And you’re right – all that is very correct and laudable! But is that all you need to do?
A professor at THE Ohio State University just recently had his home burglarized. He lost some jewelry, a shot gun….and two laptops loaded with the personal private information of lots of chemistry students and post graduates! There was federal grant information on there too. This is a MAJOR problem. All of those folks are now subject to identity theft, so they and Ohio State will have to monitor their credit very closely for a long time. And even then, they may never be sure if their information was truly compromised or not. So maybe they get complacent after awhile, and then, years down the road, BAM! They’re nailed! And since they are undoubtedly going to be very angry about this, they are going to do their best to sue you, and if that doesn’t work out, they are at least going to bad mouth your organization to everyone that will listen. And what if the database you lose has the information of tens of thousands or even millions of people on it? You have problems that may never go away. And these kinds of laptop losses occur on an alarmingly regular basis. We’ve all heard about it on the news.
The point of this is, no matter how securely you install and transmit your information on portable devices, you always have to keep physical security in mind. But you might say to me, “Well, I never let my laptop out of my sight when I’m traveling. I have a laptop security cable I use religiously. I don’t leave my laptop in my hotel room, and if anyone gets a hold of it anyway, it takes a password to log onto my computer.” Unfortunately, these kinds of security measures, while essential, are not foolproof or even that difficult to circumvent.
So what is the answer? Encrypt your sensitive data! Encrypt it well, and encrypt it anytime you are not actively using it. A hassle? You bet! But this is the only reliable way I know of to keep thieves from viewing your data. And every year encrypting your data is becoming more of a trivial exercise. Use PGP for example, or encrypt using WinZip – they have 256 AES available. That way, even if attackers get your portable device and bypass the access security all they are left with is a bunch of babble. Then maybe you and your organization might not make the evening news like so many unfortunates organizations have before!
**Editor’s Note: This article was written with a focus on smaller organizations with limited IT resources. Organizations who feel they can support it should also consider options for whole disk encryption, or perhaps research some of the emerging drive specific encryption and access controls just becoming popular. However, in our experience, these controls and tools vary widely in their effectiveness, feature sets and ease of use. In many cases, whole disk encryption and some emerging technology solutions for this problem may be too resource intensive for many smaller organizations to manage. — The Editor