Over the past several weeks I’ve had the opportunity to present Symantec’s Internet Security Threat Reports to several of our customers. It has been interesting to see the different reactions and feedback to various sections of the report, but one particular statistic in the report seems to consistently receive positive feedback and general agreement.
The statistic in question is from The Top Causes for Data Breach by Number of Incidents, 2011. The specific statistic is that 34% of all incidents are due to Theft or Loss. When I’ve discussed this particular statistic with customers, I have proposed that these incidents are entirely unnecessary.
At the root of nearly all of these types of incidents is a failure to properly implement, utilize, and enforce the judicious use of encryption on laptops, mobile devices, back tapes, USB storage, and other removable media. If encryption is not in place on these devices and they are lost or stolen, most organizations have to assume that sensitive data was exposed and, depending on applicable laws and regulatory requirements report it as a data breach event.
Given that encryption and data loss prevention technologies are readily available and mature technologies, these incidents should simply never happen. If you want to make sure that your organization is protected, I recommend the following practices:
- Whole disk encryption for all laptops.
- Use of DLP endpoint protection to enforce use of encryption for all email and removable media
- Use of DLP endpoint protection/data at rest protection to move sensitive information off of laptops and onto secured servers, wherever possible
- For corporate-owned mobile devices – enforcement of device encryption with remote wipe capabilities
- For BYOD mobile devices – either require users to install mobile device management to enforce device encryption or implement an application wrapping technology to provide encryption and protection of corporate data on mobile devices
- Encrypt all backup tapes (better yet, move off of tape backup wherever possible)
Implementing these practices could eliminate one-third of breach events. Think of the time, frustration, and money that would have saved organizations last year.