In a recent press release, the British Information Commissioner’s Office commented about a recent data loss incident experienced by the Cambridgeshire County Council. In a roundabout manner, it turns out that an encrypted memory stick triggered a course of events that led to the loss of sensitive personal information.
The council attempted to do the right thing, by providing an encrypted memory stick to its employees, free of charge. However, due to issues with the device, a frustrated employee stopped using the encrypted device provided to him and replaced it with an unapproved, unencrypted one. The unencrypted device contained sensitive information, and unfortunately it was lost, thus resulting in a data loss incident.
This incident brings up an important issue – it’s not enough to have an encryption policy or to buy encryption technology. It’s just as important (and maybe even more so), to have an encryption policy that can be enforced and does not pose an impediment to the end user. This organization had a proper security policy in place, it provided an encrypted device, and still there’s an incident of data loss that it must deal with.
The report doesn’t state what issue the user faced, but there’s any number of common annoyances that can lead to user dissatisfaction. Does it work on multiple computers? Does it change the way the user handles their normal tasks, such as how to save or open a file? Does it work on different operating systems? What happens when the user forgets a passphrase, can it be recovered? These questions span the range of both the capabilities of the encrypted device as well as the management issue that provides the backbone for an encryption deployment. It’s also criteria that differentiate between an encryption solution for an individual and one suitable for an enterprise.
The second issue is that although the security policy required the user to store information on an encrypted device, there was no technical enforcement of the policy. The user was able to insert an unencrypted drive into his workstation. This is a case where the user had the proper authorization to access the data, but didn’t use the right tools to store it safely. In order to address this aspect of the problem, consider the role of device control. A device control solution enables an organization to establish policies that govern what types of devices may operate on a given computer. One policy that could have prevented this incident would be to ensure that only encrypted devices issued by the organization are allowed on the workstation, and unapproved personal devices may not.
It’s interesting to note that the latest research from Ponemon Institute indicates that there continues to be greater adoption of encryption within businesses today, but the cost and frequency of data loss incidents continues to rise. This is just one example, where the right intent to protect is in place, but still there were unanticipated consequences. What’s needed is to expand the awareness of what the business use of encryption looks like and better understanding of the best practices to deploy encryption properly in a manner that meets the objectives of the security policy.
For information about the USB storage encryption solutions from Symantec, visit: