In September 2007, Research Concepts LLC asked 185 members of NetworkWorld"s Technology Opinion Panel about the state of computer and data security in their organizations. The results revealed that, although computer and data security are high priorities for corporations, they are nevertheless unprepared to prevent data breaches and computer theft. Common approaches to computer security aimed at minimizing the possibility of data breach were consistently undermined by employees. Indeed, those surveyed reported that only one in 100 employees consistently follows corporate data and security policies.
Physical Security and Authentication
The simplest form of laptop computer security involves protecting the computer and its physical environment. According to Research Concepts, more than 31% of organizations surveyed provide laptop users with cable locks to secure their computers when out of the office. Nearly 94% reported the use of password-based authentication on laptop computers. Interestingly, this same survey group indicated that they believed employees were responsible for most incidents of data breach within their organizations. Clearly, many organizations believe that despite basic precautions such as providing laptop locks and password-protecting computers, employees remain the weakest link in security plans.
Data Breach Regulation Across 37 States
The 2002, California Senate Bill 1386 added a new, public dimension to regulatory compliance. In the event of a data breach such as a lost laptop computer containing sensitive information, the bill requires organizations to notify all parties whose personal information has been exposed.5 Following California"s lead, 36 additional states have enacted similar data breach laws. The Ponemon Institute estimates that it costs a company $197 per missing record when a breach occurs.
Organizational Policy
Research Concepts found that 58% of organizations currently promote polices for the safe use of mobile computing devices and for accessing sensitive files. The University of Miami Office of HIPAA Privacy and Security for example, details the circumstances under which students and medical staff may download electronic protected health information to a laptop computer. The fact remains however, that despite these organizational policies, busy salespeople, unknowing marketers and harried administrative staff will contravene policy and load sensitive information onto portable computers. With more than 600,000 laptops stolen each year in the United States, companies relying on organizational policy to protect sensitive data will continue to fuel data breach media headlines.
High Tech Protection: Encryption and IT Asset Management
More than 50% of organizations surveyed by Research Concepts indicated that they protected sensitive information with encryption software. A further 43% reported the use of asset tracking software. Simply knowing where all mobile computers are located is a powerful security measure, however, traditional IT asset management solutions are designed to track only those laptops that connect to a local area network (LAN) or virtual private network (VPN) connection. For a large proportion of laptop users, returning to head office is an intermittent event ' allowing many laptop computers to remain below the radar of IT.
Encryption software is commonly referred to as the computer security "fall back". In the event that a computer protected by organizational policy and physical deterrents is stolen, sensitive information on the laptop is made unreadable by encryption. For encryption software to be effective however, laptop users must consistently and accurately follow company encryption policy. Even more worrisome is the fact that more than 30% of companies believe employees are actively involved in the theft of company computers. Armed with the necessary passwords and encryption keys to access data, disgruntled or dishonest employees represent a threat that cannot be addressed by encryption alone.
The common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective. If a cable lock is not used, an authentication password is taped to the keyboard for convenience or a regular encryption process not completed, organizations remain unnecessarily vulnerable to public data breach. By the same token, complex, expensive and ultimately productivity-dampening security measures may be effective but greatly reduce the benefits of laptop computers. Endpoint security solutions complement other security measures by providing a final, user-independent layer of protection.
Stolen Laptop Leads to Dismissal
"Just last month, security company VeriSign(VRSN) announced that a contract worker reported that her laptop, which held employee information, was stolen from her car. The employee no longer works at the company. A company spokeswoman told InformationWeek at the time that the woman, who worked in VeriSign"s human resources department, failed to comply with company policies that mandate that data be encrypted and that employee information not be downloaded on laptop computers."
Physical Security and Authentication
The simplest form of laptop computer security involves protecting the computer and its physical environment. According to Research Concepts, more than 31% of organizations surveyed provide laptop users with cable locks to secure their computers when out of the office. Nearly 94% reported the use of password-based authentication on laptop computers. Interestingly, this same survey group indicated that they believed employees were responsible for most incidents of data breach within their organizations. Clearly, many organizations believe that despite basic precautions such as providing laptop locks and password-protecting computers, employees remain the weakest link in security plans.
Data Breach Regulation Across 37 States
The 2002, California Senate Bill 1386 added a new, public dimension to regulatory compliance. In the event of a data breach such as a lost laptop computer containing sensitive information, the bill requires organizations to notify all parties whose personal information has been exposed.5 Following California"s lead, 36 additional states have enacted similar data breach laws. The Ponemon Institute estimates that it costs a company $197 per missing record when a breach occurs.
Organizational Policy
Research Concepts found that 58% of organizations currently promote polices for the safe use of mobile computing devices and for accessing sensitive files. The University of Miami Office of HIPAA Privacy and Security for example, details the circumstances under which students and medical staff may download electronic protected health information to a laptop computer. The fact remains however, that despite these organizational policies, busy salespeople, unknowing marketers and harried administrative staff will contravene policy and load sensitive information onto portable computers. With more than 600,000 laptops stolen each year in the United States, companies relying on organizational policy to protect sensitive data will continue to fuel data breach media headlines.
High Tech Protection: Encryption and IT Asset Management
More than 50% of organizations surveyed by Research Concepts indicated that they protected sensitive information with encryption software. A further 43% reported the use of asset tracking software. Simply knowing where all mobile computers are located is a powerful security measure, however, traditional IT asset management solutions are designed to track only those laptops that connect to a local area network (LAN) or virtual private network (VPN) connection. For a large proportion of laptop users, returning to head office is an intermittent event ' allowing many laptop computers to remain below the radar of IT.
Encryption software is commonly referred to as the computer security "fall back". In the event that a computer protected by organizational policy and physical deterrents is stolen, sensitive information on the laptop is made unreadable by encryption. For encryption software to be effective however, laptop users must consistently and accurately follow company encryption policy. Even more worrisome is the fact that more than 30% of companies believe employees are actively involved in the theft of company computers. Armed with the necessary passwords and encryption keys to access data, disgruntled or dishonest employees represent a threat that cannot be addressed by encryption alone.
The common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective. If a cable lock is not used, an authentication password is taped to the keyboard for convenience or a regular encryption process not completed, organizations remain unnecessarily vulnerable to public data breach. By the same token, complex, expensive and ultimately productivity-dampening security measures may be effective but greatly reduce the benefits of laptop computers. Endpoint security solutions complement other security measures by providing a final, user-independent layer of protection.
Stolen Laptop Leads to Dismissal
"Just last month, security company VeriSign(VRSN) announced that a contract worker reported that her laptop, which held employee information, was stolen from her car. The employee no longer works at the company. A company spokeswoman told InformationWeek at the time that the woman, who worked in VeriSign"s human resources department, failed to comply with company policies that mandate that data be encrypted and that employee information not be downloaded on laptop computers."
0 comments:
Post a Comment