Data security has been in the news a lot lately, as a result of some high-profile corporate losses and thefts of laptops, USB flash drives and other data storage equipment. As more users rely on laptops for their main computers, the chances increase that more PCs will be lost, stolen, or damaged. And this means that the potential for data loss or abuse is high and continues to grow.
Actually, even desktops aren't safe. As PCs get smaller and more powerful, their hard drives can be used to store large databases on them -- information that makes them potential targets for theft. "All the big guys in financial services have been investing heavily in disk encryption for laptops, desktops, and portable devices," says Ralph Figueiredo, a sales manager with Aurora Enterprises and a data security consultant. "They are worried about internal theft of systems from their offices as well." One of his clients in Southern California recently had the CEO's desktop PC stolen from the office, complete with personnel and project records. Two weeks later, disk encryption was deployed on all of the managers' PCs and policies were set up for encrypting USB flash drives.
Clearly, stealing only the CEO's desktop points to an inside theft, but that doesn't change the fact that now is the time for IT managers to protect their corporate PC data. Ideally, this protection should be part of a comprehensive security strategy that includes traditional perimeter defenses such as firewalls and antivirus tools. "Corporations can be tighter than Fort Knox with their firewalls, but [they] don't consider how easy it is for someone to walk into their office, lift a machine, and walk out the front door," said Figueiredo.
Fortunately, there are a wide array of encryption and security tools that can mitigate this potential disaster, including some free or low-cost solutions.
A recent CSI/FBI survey of IT administrators has found that 46% of the respondents had to deal with stolen laptops in 2006, with the average loss over the year increasing from $19,562 per respondent in 2005 to $30,057 per respondent in 2006.
"Just about everyone that we speak to these days knows about a stolen laptop situation personally," Figueiredo says. "It certainly is more prevalent when compared to two years ago." It also is easy to find news reports that are filled with reports of stolen laptops or missing USB flash drives with sensitive data.
In 2006, a few of the many incidents of laptop theft resulted in the release of personal information from more than 540,000 N.Y. state workers>, 4,600 ROTC scholarship applicants, 13,000 Washington, D.C., ING retirement plan participants, 2,500 Equifax employees, 196,000 HP employees in a Fidelity benefit and defined contribution plan, and 17,000 patients of Mount St. Mary's Hospital in Buffalo, N.Y. An average of nearly one incident of data theft is added each day to the Attrition.org database that keeps track of such events.
In perhaps the most notorious case last year, the U.S. Veterans Administration lost a USB hard drive and a laptop with more than 26 million records. Fortunately it was recovered, apparently without any data having been accessed.
Some companies are repeat offenders. Boeing Corp. has had three notable laptop losses over the past several years, with each machine carrying critical personal information. This happened despite a corporate policy to not place sensitive information on a laptop without some form of encryption. The last loss caused the employee to lose more than his data; he was fired for violating company policy.