It’s almost like you can’t trust people these days. You’d think if someone broke into a house looking for valuables they’d at least leave the “work” stuff alone. But NO, the thieves have to go for the laptop, without any regard for how much “sensitive information” might be on it. No regard for the red tape it will put you through when it goes missing. The nerve! Why couldn’t they have just taken the kids’ iPod? It’s worth almost as much…

Folks, it’s all just becoming a bit too much for me, these breaches that could easily have been prevented. This one happened a bit closer to home for me (click HERE).

Service Canada is a branch of the Canadian Government that does a lot of “Government-to-Citizen” services, sort of like the “Customer Service” division of a company, but for a government. I know they take the “big picture” security issues seriously for their on-line applications. So, how do these “little things” fall through the cracks?

What went wrong?

A government employee took a laptop home that had Personally Identifiable Information (PII), such as Social Insurance Numbers, Bank Account Numbers, Credit Data and Birth Dates. A thief broke into the employee’s house and stole the laptop containing the PII (apparently without wiping the hard disk - how inconsiderate?).

What went wrong?

We think theft is rare. It never happens to us, and hardly ever happens to anyone we know personally. Laptops are so common these days, and getting more affordable. But that doesn’t mean they’re worthless.

In fact it surprises me that it’s only recently we’re hearing about laptop thefts. I don’t think it’s a new phenomenon, as laptops were worth a lot more 10 years ago, and probably had just as much sensitive information on them then. But we never heard about them. I believe the reason we hear about them now has to do with legislation on accountability, governance and disclosure. Most people think of these types of laws as being a deterrent safeguard in and of themselves. But until people make the connection, it’s more of an indirect consequence that is still happening too late to influence behaviour. Eventually, the law will make people think “Gee, I better protect this stuff if I don’t want to end up on the front page tomorrow” (or worse, in jail)!
So the problem here is the will at the top of an organization to address all breach risks in the proper context. People used to think of “infrastructure” breaches as being more critical than “individual” breaches involving a single user. If the user happened to be an employee with a laptop, the assumption was that a breach was a “single-user event”. However, these days, data is fast migrating out of database servers and into spreadsheets, reports, and word processing documents. This is happening without the knowledge of the executives or even the Chief Security Officer (CSO). But they should not ignore this new reality.

People carry mobile devices (laptops, PDA’s, etc.) outside the organization on a regular basis. There’s no point in fortifying a server when large amounts of the sensitive data is replicated outside the office and corporate network boundary in waves every day. No firewalls can prevent this. Only good policies, enforcement and awareness across the board.

The Bottom Line

There is a fairly simple solution, when it comes to laptops. Encrypt the disks. Here are the main things to remember:

1. Passwords are NOT encryption. Just because a laptop requires password to log in does not mean the data on the disk is protected. Anyone can remove a laptop disk, place it in their own system and, abra-cadabra, the data appears.
2. Encryption using a government-approved algorithm (AES in the United States, and others such as Triple-DES in Canada and other countries) is the best way to scramble data so it is unusual.
3. Whole disk encryption is best for laptops. This means that, in contrast to products that encrypt only certain files or folders, NOTHING on the disk can be viewed without having the right password. The reason I say it this way is that solutions exist for scanning the unencrypted part of a disk for all printable character strings, and using them as the basis for dictionary-type attacks. When an attacker has the computer in his possession, he has all the time in the world to search for password fragments on the disk. If it’s all encrypted they can’t do this.
4. Stating that, “The chances of thieves using the PII on a stolen device to commit Identity Theft are low” is NOT a risk mitigation measure. It’s a PR statement aimed at calming people down. Using this as a sole response to a breach is an admission of ignorance when it comes to protecting information. You have no way of knowing what the chances are, especially when it is becoming clearer to everyone that the data is often worth a lot more than the hardware.
5. USB memory devices can also have their content encrypted. Lost and stolen USB devices are just as common as laptop thefts.
6. Remember, off-site backups of sensitive information is also a leading source of breaches. While off-site backups are absolutely essential for most businesses, many people forget that if they are not protected, they can result in large amounts of data loss. They should be encrypted, or heavily protected with physical security while in transit and in storage.

While there are many disk encryption solutions that may do the job well enough to actually reduce the risk of a breach, I use PGP Disk to protect my laptop. It’s been rated one of the best, and easiest to use. I feel much more secure carrying my laptop with customer data on it when I know it’s fully encrypted.