Laptops are ubiquitous in today’s IT environments. How many of your employees are using laptops in the office, on the road, working from home, or all of the above?
While massively convenient, and a boon to worker productivity, laptops also represent a major liability. They are easy for employees to lose – and easy for a thief to steal.
On balance, most companies likely think the reward is worth the risk. But the risks are significant when you consider all of the valuable data stored on employee laptops, and the potential for data loss and subsequent fines, lawsuits, lost intellectual property and brand damage.
Take the recent example of SterlingBackcheck, a Texas company that provides background screening services to clients around the world.
In early August 2015, SterlingBackcheck sent out a letter informing people that a few months prior a “password-protected laptop was stolen from a SterlingBackcheck employee’s vehicle.”
The laptop contained unencrypted data including names, Social Security numbers and birthdates for roughly 100,000 people. This kind of data is a potential gold mine for an identity thief. Which is why SterlingBackcheck has offered “free” credit monitoring and ID theft protection to those affected (those services are not actually free – SterlingBackcheck has to pay for them!).
Imagine if this was your company: not only would you face the embarrassment – and cost – of notifying customers of their lost data, you’d also face the prospect of negative media attention for the incident and any number of clients, partners or potential customers questioning your business’s trustworthiness.
The risk of this happening to your business is unfortunately quite high. Although you certainly have to protect yourself against the threat of criminal hackers, a large proportion of data loss is the result of a lost or stolen laptop, USB drive or mobile device. In one study of the healthcare industry, 70% of data lost in 2013 by California healthcare organizations was the result of loss or theft of a physical device such as a hard drive or laptop.
The most staggering thing about these reports is that you almost never hear that the data on lost or stolen devices was encrypted. According to the 2015 Verizon Data Breach Investigation Report, an analysis of data breaches found that the words “unencrypted,” “not encrypted,” and “without encryption” were present in four times as many incident reports as phrases such as “was encrypted” and the like.
That’s unfortunate, because disk and device encryption is absolutely the best defense against this type of data loss. When data is encrypted, it is scrambled in unreadable format called cipher text, and only the person with the encryption key can unscramble it again.
I’d like to point out one other thing about SterlingBackcheck’s notice to those affected by its lost laptop data breach. The company says the laptop was “password protected,” as if that was some kind of adequate defense against data loss.
In reality, an unencrypted laptop’s password protection is worth almost nothing – passwords can be cracked in minutes. Besides, a thief would just need to put the laptop’s hard disk into another computer, or boot the “protected” computer from a CD or USB key in order to get at your data.
What if the data on a lost laptop has been encrypted? There’s no way a crook could read your encrypted data, and the laptop would be worth only as much as the thief could get for its parts.
So, why aren’t more businesses encrypting their laptops and other devices? It’s a bit of a mystery, but I believe it’s because businesses think they have adequate security in place already, or that encryption is too difficult or expensive to implement.
These are myths.
If you want to be absolutely sure your data is protected, encryption should be your first line of defense.
And if you still think encryption is too much of a hassle, I urge you to check out the resources at sophos.com/encrypt, including free whitepapers, reports and videos, showing you just how simple it can be.
Tanya Leonard
Very interesting