in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

BYOD Full Encryption: Because Sensitive Data Will Drift To Where You Least Expect It

If your workplace offers BYOD (bring your own device) or similar programs where an employee is authorized to bring and take portable computing devices for work-related purposes, it really pays to take a second look at full disk encryption like AlertBoot.  Why?  Because sensitive information, no matter how much or how hard you try, will end up where it shouldn't, as Washington University in St. Louis's recent case shows us.

Unencrypted Laptop with PII Stolen

Washington University in St. Louis (WUSL) has alerted the Maryland Attorney General's Office that they suffered a data breach when a laptop computer was stolen from one of their employees.  As it turns out, the information was limited to business partners and one Maryland resident.  As data breaches go, it's a very small one.

There is no doubt that WUSL did a great job of managing their data.  Here you have a data breach that involves personal sensitive data, and instead of affecting hundreds of thousands of people, it affected one.  Sure, you have a number of business partners (probably not innumerable), but the letter to the AG implies that only one SSN was breached in this fiasco.  In a sense, there was no need for encryption; the breach was not dire enough or big enough.

On the other hand, here you have an organization that is forced to alert the authorities that they suffered a data breach because they missed one guy's data.  What kind of damages, intangible or otherwise, are associated with this breach report?  What if the AG decides to investigate the incident, regardless of what the reason might be (political, legal, what have you)?  You know, the proverbial camel's back?

Users Decide?

One thing in the breach notification letter that caught my attention was the following passage:
To help prevent something like this from happening in the future, Washington University has re-educated its staff in the importance of handling personal information securely and continues to enhance its information security safeguards.
Education works.  It makes people more aware, it changes behavior, and definitely increases overall security levels.  But this statement is not true for everyone.  You will have people who will sit through the seminars and whatnot because they have to.  You will have people who initially respond and engage but start to slowly (but surely) ignore security issues as days turn into months.  You will have people in denial ("it happens to others but not me").

If data security is an issue at the workplace, one must do a little more than educate people, especially when research shows that people are either unwilling or incapable of change.
Behavioral science, for example, shows us that results can change drastically depending on whether one follows an opt-in or opt-out model since people tend to stick with the default settings.  For example, if it's up to the user to encrypt a laptop, then most laptops will go unencrypted, even if people know that encrypting is better.

When such realizations are factored into computer data security, it only makes sense for organizations like WUSL to require encryption (possibly use a centrally managed encryption solution to keep track of encryption rates), and not stop just at educating employees.
Related Articles and Sites:
http://www.databreaches.net/washington-university-in-st-louis-notifies-business-partners-after-laptop-with-unencrypted-pii-stolen/
http://www.oag.state.md.us/idtheft/Breach%20Notices/itu-234645.pdf

 

 
<Previous Next>

Smartphone Security: California Bill Could Force Industry To Implement Device Kill Switch

Encryption ROI: You Can Sometimes Calculate A True Return On Investment For Encryption...

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.