Technology for dealing with lost laptops
Manage your data and encrypt everything all the time - that's the advice from security experts in the wake of another slew of public and private sector data breaches.
Lost laptops and misplaced CDs seem to have become a near-weekly occurrence - in the past week, there's been news of three lost Ministry of Defence (MoD) recruitment laptops, four court discs from the Ministry of Justice, and a sanction from the data protection watchdog for Marks & Spencer.
With the near-ubiquity of portable devices for mobile working, it's no surprise the things get lost, stolen or otherwise misplaced. But when said devices carry not just corporate secrets but the personal, private details of millions, such mistakes carry a heavier weight.
Indeed, the case of the lost laptops from the MoD has had many asking what measures should have been in place - and why so much data was being held on them.
Secretary of State for Defence Des Browne told parliament that the MoD had proper procedures in place to keep sensitive data off of portable devices and that the laptops had encryption software - yet the procedures were not followed and the laptops were not encrypted.
The human factor
Such data breaches have shown users simply do not follow policies. And, people simply can't be trusted to not lose their devices - or leave them in the car overnight, where they can be stolen.
Alan Bentley, the vice president of Lumension Security, said education is necessary. "At the heart of all the recent data losses, is a lack of awareness and coherence to the organisation's security policies. The 'human factor' is often the weakest link in any security armour and the MoD is no exception to this rule."
He called for organisations to properly educate employees about the risk of data theft and to stress what happens if they don't take heed. "Unless employees start to understand that their job is on the line if they fail to follow procedures, this culture of careless data handling will continue," Bentley said.
Joe Fantuzzi, chief executive of Workshare, said: "My sense is that policies are written to be broken... Policy is good to have as a baseline, but policy won't prevent problems."
So the question is: what will? And what will stand up to hackers should they realise the potential of the data on a stolen disc?
Clive Longbottom, principal analyst at Quocirca, runs down the problem: "Policies are spineless, and get ignored. Therefore, companies have to design for idiots, and this means various approaches." First, Longbottom suggests centralising and locking down data, so that when a device is stolen, no data is lost. Second, and more importantly, is to encrypt the information which is on a device.
Keep data off portable devices
First then, is to ensure data is not actually kept on portable devices. While mobile working is making this increasingly common, much data does need not be taken out of the office, experts have said.
"People need to make a decision whether they need laptops," said Richard Farnworth, general manager of enterprise solutions for NEC, adding that technology such as virtualisation can help keep centralised data in its right place, while still allowing mobile access.
He recommended the use of disc-less laptops, where no information is held, but access to centralised data is through wireless connections over a VPN. "The key thing is, if lost it has nothing," Farnworth said. "It has the ability to connect to the office, but if you lose it, it really doesn't matter."
While he said some people will still need full-spec laptops, as they run more heavy-weight applications, sensitive data can still be left at the office. As MPs asked Browne in parliament after news of the MoD breach broke, why did recruitment staff need to have lists of national insurance numbers?
Quocirca's Longbottom explained: "On remote devices where there has to be some data (e.g. salespeople, field service), the company has to ensure that only the information critical to the person's job is there - everything extraneous should not be there. For example, it is unlikely that the Navy employee needed all the NI numbers or bank details of the people he was carrying information on - it was more probable that he needed addresses and more qualitative data, such as the CVs. If only this had been nicked, it would be far less of a problem."
Encrypt everything, all the time
For the data that is left on laptops, security policies need to be backed up with some solid technology: encryption - the very thing the Information Commissioner told M&S to do to all its laptops this week.
"The simplest way is to encrypt the entire disc," said Workshare's Fantuzzi. "If you use full disc encryption (FDE) they can only wipe the drive clean. You're going to lose your laptop, but they're not going to get your data."
As a stop-gap measure following the MoD debacle, the cabinet secretary has banned any laptops from leaving government offices without first being encrypted - but such a policy was already flouted in the case of these missing MoD laptops.
So what can organisations do to prevent their own workers from being the weak link in a chain? Nick Lowe, regional director for Northern Europe at security firm Check Point, said that companies must automate the security, taking it out of the hands of their employees.
"The big security issue with laptops is to have full-disk encryption (FDE) across the laptop fleet. FDE automates the encryption process and secures the entire disk, so mobile users don't have to worry about security - and can't interfere with it," he said.
Spencer Parker from ScanSafe agreed, saying users can not be given a choice with security, as they'll make the wrong choice. "The key thing, to ever get a policy to work convincingly, is you've got to have zero end-user input... they can't ever be offered a choice," he said. "The moment you give them an opt-out, they will... you're never going to stop an end-user being stupid."
Due to this inherent problem, Donal Casey a security expert from Morse said pre-boot encryption was key, as it ensured the disc was encrypted constantly. "It can not be bypassed - even from another machine," he said.
However, encryption doesn't end with the laptop, Lowe added: "Then you need control over removable media, as the hard drive is only one storage medium on a laptop. Endpoint security should stop data being copied onto CDs, DVDs or USB devices. Port control solutions do this by automatically blocking a USB device that does not comply with the security policy, or prevent the transfer of certain files or file types."
Lowe added: "The really crucial is to do all this automatically, without user intervention, because this literally protects people and organisations from their own mistakes."
While stories of stolen laptops and mislaid discs make excellent scandals, most laptops don't contain important information. "Lots of people carry laptops, and most don't have confidential customer information," said Guy Bunker, chief scientist at Symantec for EMEA.
Despite the high media profile, it's often low on the radar of executives. "[Security] is never high enough on the list - there's no massive business benefit. It's almost intangible," said Morse's Casey.
If laws in the UK head the way they have in parts of the US, then data breach legislation could drive more people to use encryption. "In the states, if you're encrypted you don't have to declare [data breaches]," Symantec's Bunker noted.
Either way, strict policies - backed up with employee education and clear repercussions - paired with data management and unavoidable encryption will keep most organisations out of deep trouble, should the inevitable happen and a laptop wanders off.
The key is to accept that it will happen and to plan for it, because as NEC's Farnworth noted, they're an easy win for criminals: "It's a lot easier to steal a laptop than filing cabinets with 600,000 files in them."