Being told that one of your employees just lost their laptop can instantaneously wake you up to the reality that your data is not safe, and you just may have been compromised. Thoughts revolve around the data that resided on that drive, and did a current backup exist, or any backup at all. Next, concerns arise relating to what might happen if there is unauthorized access to the data and if it were to be used for wrongful purposes.
Now the adventure begins. Was the laptop encrypted? Does disclosure of the loss of data need to occur and what would the repercussions be to the enterprise?
Upon the loss of a notebook, a typical organisation asks the following questions.
How did the notebook go missing, and is there anything we can do to stop it from happening again?
Organisations now start to analyse their security practices and processes. They try to determine if they need to buy any software or hardware to protect their data – such as encryption, and they look at reviewing their existing security measures. If the organisation subscribes to ISO 27000 standards, they now turn to ISO 27001, which formally defines the mandatory requirements for the overall management and control framework regarding an organisation’s security risks. They will also review their ISO 27002 standards, in relation to ISO 27001, to establish a code of practice and guidelines in protecting sensitive data within their enterprise.
Was the notebook encrypted?
Given the amount of attention that privacy and security regulations around the world have brought to data breaches, the above question is probably one of the first questions to be asked. The reason for this question begins with the exemption clauses under most data breach notification conditions existing within privacy and security regulations. In most cases if you encrypt the media upon which the data resides in adherence to exemption clauses, then you will not be required to disclose a potentially embarrassing data loss.
Is there any way to find out where that laptop is now?
In some cases, organisations want to know if they can track the location of the missing laptop in question. They do so, not necessarily to recover the laptop, but to determine if there are any other measures that they need to take into consideration to further protect themselves. For example, did the recently fired employee take a laptop home and is holding it ransom for severance? Did the contract worker that was in last month take a notebook? Did an employee steal it? Each one of these above conditions may provoke a different set of responses and measures that an organisation may want to execute in order to protect itself legally and the data that may be exposed.
What else can be done to the laptop now that it is not in our possession?
Intel’s Anti Theft Technology now enables some encryption ISV vendors to issue a poison pill to a laptop that has been identified as lost or stolen. This poison pill can be issued to a laptop whether or not it is connected to the internet/LAN and performs two primary functions. It disables the platform and performs an encryption data disable. The first function was intended as a theft deterrent mechanism. The second function further protects the sensitive data on the laptop. In this case, access to an encrypted laptop would be denied even if the individual were in possession of the correct credentials – password, smartcard, USB token, etc.
With new security technologies including Intel’s Anti-Theft Technology and self encrypting drives (SEDs), the ubiquitous protection of data through encryption will only be a matter of time before the encryption of data is a normal practice, just like backing up data.
Joseph Belsanti is the Vice President of Marketing at WinMagic Inc., a leading global provider of full-disk encryption solutions protecting data on laptops, USB thumb drives, and CD/DVDs. In addition to data security solutions, he has been marketing and selling in the fields of IP Address Management (IPAM), and E-services (CRM, E-procurement, Web Services and E-business).