How encryption can add value to your business
With data breaches widespread, no organisation can afford to be complacent, but most data losses are avoidable. Many of the breaches making headline news are caused by the loss or theft of laptops and other portable devices. To protect themselves from financial and reputational damage, encryption technologies can reduce risks by ensuring the information on such devices is secure when users are on the move. They can also add value by allowing the secure sharing of information among authorised users and by enabling more secure remote working.
The use of encryption is no longer optional for many organisations. Certain new regulations demand its use while others provide a safe harbour so that organisations do not have to notify individuals in the event of a security breach—provided data was encrypted. Even those organisations that are not subject to such regulation should consider the use of encryption as best practice for protecting data on portable devices.
Introduction: why data gets lost
Losses of sensitive information by organisations make headline news on an almost weekly basis these days. According to the Privacy Rights Clearinghouse, more than 262 million data records containing personally identifiable information have been compromised through security breaches in the US alone since January 2005. Such losses occur for a variety of reasons, including criminals hacking computer networks to get their hands on information that can be used for commercial gain, carelessness by computer users in terms of sending out sensitive information in unprotected communications or losing computational devices, and deliberate security breaches caused by disgruntled employees. Many of these data losses are avoidable.
The majority of organisations have responded to external threats such as hackers by implementing security controls in an attempt to lock down their networks. These include the deployment of technologies such as firewalls and virtual private networks, and by ensuring that security vulnerabilities are patched in a timely manner.
However, data published by Data Loss DB, a data breach clearing house, regarding data breaches that were made public in 2008, shows that just 14% of data breaches were caused by hackers. This compares to more than 32% that resulted from the loss or theft of laptops, mobile phones, or other portable media and storage devices.
Many of these devices are used routinely to process, communicate and store sensitive information such as customer lists, sales records, human resources information or financial details. The majority of organisations today face some sort of regulation that demands that controls are put in place so that data is stored and communicated securely. Some of the most recent regulations go a step further and require an organisation that has suffered a data breach involving personally identifiable information of living persons to publicly notify those affected that their information could have been compromised. The first such regulation was put in place in California (SB 1386)1 but today most US states have enacted similar legislation, as have many countries around the world. In the EU, authorities can already take action against data breaches under data protection laws and amendments to the e-Privacy directive (2002/58/EC)2 were made in May 2009 that makes breach notification mandatory for internet service providers should a breach such as theft of a list of customer data occur. Further amendments are likely.