44% report they were able to prove the use of encryption Proving encryption was used is important: regulators Third parties for resolving conflict of interest Absolute Software and the Ponemon Institute have come out with a number of reports on the "human factor" when it comes to data security. It turns out that a huge factor when it comes to data security is people (just like Soylent Green); nothing surprising there. For example, business managers think that their laptop computer is secure once hard disk encryption is in place. IT managers, on the other, realize that they still need to employ other forms or security, such as using cable locks on their laptops. However, what really caught my eye is the following: Ninety-five percent of IT practitioners report that someone in their organization has had a laptop lost or stolen and 72 percent report that it resulted in a data breach. Only 44 percent report that the organization was able to prove the contents were encrypted. In other words, slightly more than half of those surveyed were unable to provide evidence that sensitive information was encrypted--even if they had it in place!
Absolute Software and the Ponemon Institute have come out with a number of reports on the "human factor" when it comes to data security. It turns out that a huge factor when it comes to data security is people (just like Soylent Green); nothing surprising there. For example, business managers think that their laptop computer is secure once hard disk encryption is in place.
IT managers, on the other, realize that they still need to employ other forms or security, such as using cable locks on their laptops. However, what really caught my eye is the following:
Ninety-five percent of IT practitioners report that someone in their organization has had a laptop lost or stolen and 72 percent report that it resulted in a data breach. Only 44 percent report that the organization was able to prove the contents were encrypted.
In other words, slightly more than half of those surveyed were unable to provide evidence that sensitive information was encrypted--even if they had it in place!
Not being able to provide positive proof of encryption is problematic for at least a couple of reasons. First, it makes one wonder how the IT department knows which machines were protected and which ones weren't. Sure, one could send a command for "all computers" to be protected over a network. However, the IT department still needs to follow up and ensure that those machines are indeed protected. I mean, what if the process failed, possibly because a number of machines were unpatched with the latest updates? There are so many things that could go wrong. Remember, the point is not to go through motions--pushing buttons on a software package--but to safeguard sensitive, confidential data. Second, how else are you going to convince regulators, state attorneys general, and the like that you did have adequate protection on a machine? You need some kind of proof other than, "Bob from the IT department KNOWS that machine was encrypted." You have to be able to put forward something other than a guy's word.
Not being able to provide positive proof of encryption is problematic for at least a couple of reasons.
First, it makes one wonder how the IT department knows which machines were protected and which ones weren't. Sure, one could send a command for "all computers" to be protected over a network. However, the IT department still needs to follow up and ensure that those machines are indeed protected. I mean, what if the process failed, possibly because a number of machines were unpatched with the latest updates? There are so many things that could go wrong.
Remember, the point is not to go through motions--pushing buttons on a software package--but to safeguard sensitive, confidential data.
Second, how else are you going to convince regulators, state attorneys general, and the like that you did have adequate protection on a machine? You need some kind of proof other than, "Bob from the IT department KNOWS that machine was encrypted." You have to be able to put forward something other than a guy's word.
Many companies opt for in-house deployment of encryption software (which I encourage, if that's what your company needs; and that's saying something, since what we at AlertBoot offer is a managed encryption service--disk security as a service, if you will) because of security concerns. I've found out that in significant instances, clients will opt for outsourced encryption like AlertBoot despite their misgivings. Initially, I figured it was due to the cost savings involved with managed encryption services: no need to invest in more hardware; no need to update and upgrade, both hardware and software; no need for ongoing maintenance; etc. Turns out that a chief consideration among these clients was the conflict of interest when it comes to proving that their machines are encrypted: When people are accused of lying and doctoring documents, how can a company prove--without a trace of doubt--that a computer is indeed protected? The answer: get an outside organization to take care of it. Essentially, the idea is that "Chinese Walls" don't work, and the guys in the IT department can feel as much pressure to do questionable things as, say, accountants. After all, they have the same boss. Of course, the clients wanted to make sure that the ability to audit the encryption status of their machines was accurate (one might say this borders on cynicism and paranoia, but I'd disagree: do you know how many reports I read where hard drives bought from on-line auction sites still contain confidential data, in certain cases confidential corporate data? In many such instances, outside contractors hired to pulverize a disk just sold it). The true cynic, naturally, would point out that third-parties are as likely to succumb to corporate pressure: Arthur Andersen's financial audit of Enron, for example, is now considered a classic case. However, remember that at the time there five large accounting firms (the so-called Big Five): the other four firms didn't succumb to the same pressure, which is the rule, not the exception.
Many companies opt for in-house deployment of encryption software (which I encourage, if that's what your company needs; and that's saying something, since what we at AlertBoot offer is a managed encryption service--disk security as a service, if you will) because of security concerns.
I've found out that in significant instances, clients will opt for outsourced encryption like AlertBoot despite their misgivings.
Initially, I figured it was due to the cost savings involved with managed encryption services: no need to invest in more hardware; no need to update and upgrade, both hardware and software; no need for ongoing maintenance; etc.
Turns out that a chief consideration among these clients was the conflict of interest when it comes to proving that their machines are encrypted: When people are accused of lying and doctoring documents, how can a company prove--without a trace of doubt--that a computer is indeed protected?
The answer: get an outside organization to take care of it. Essentially, the idea is that "Chinese Walls" don't work, and the guys in the IT department can feel as much pressure to do questionable things as, say, accountants. After all, they have the same boss.
Of course, the clients wanted to make sure that the ability to audit the encryption status of their machines was accurate (one might say this borders on cynicism and paranoia, but I'd disagree: do you know how many reports I read where hard drives bought from on-line auction sites still contain confidential data, in certain cases confidential corporate data? In many such instances, outside contractors hired to pulverize a disk just sold it).
The true cynic, naturally, would point out that third-parties are as likely to succumb to corporate pressure: Arthur Andersen's financial audit of Enron, for example, is now considered a classic case.
However, remember that at the time there five large accounting firms (the so-called Big Five): the other four firms didn't succumb to the same pressure, which is the rule, not the exception.
Related Articles and Sites:http://www.absolute.com/resource_center/whitepapers/ponemon-human-factor