Should sensitive data be stored on laptops?
BOSTON, Massachusetts (AP) — Every month seems to bring another episode of sensitive personal information escaping into the wild because a corporate or government laptop computer is lost or stolen. A common response is a lot of hand-wringing over how the data should have been encrypted.But some key questions usually go unanswered. Why is so much private data allowed to be on laptops to begin with? What do people do all day that compels them to tote around records on, say, 26 million Americans, the staggering number seen in the recent Veterans Affairs case? “It’s pure laziness. There’s actually no excuse for it,” said Avivah Litan, a security analyst for Gartner Inc. “There’s no good business reason for it.”Litan advocates a few simple steps: Organizations should keep sensitive information only on secure, centralized servers. Workers can access the data from PCs in the office or over private Internet connections, but can’t store the records on their own machines to fiddle with them offline. Many companies give storage-rich laptops to employees whether they really need them or not. If they absolutely need to analyze data out of the office, the employees should run programs that replace live credit card or Social Security numbers with random “dummy” figures whenever possible, since the actual numbers aren’t always relevant. Following such rules would have prevented the scare that resulted when a laptop with veterans’ data was burgled from an analyst’s home May 3 (it was later recovered with the information apparently unaccessed). The VA inspector general told Congress that the staffer had been bringing data home for policy analysis since 2003. It’s true that encrypting data — scrambling them with private codes — can make whatever is found on a laptop almost impossible to read. But encryption often isn’t turned on by users who think it degrades computer performance. Consider the case of the ING Financial Services adviser who had Social Security numbers and other personal data for 13,000 District of Columbia employees on his laptop — until the computer was stolen from his home last month. ING administers pensions for the district. The adviser had broken ING rules by not having the data encrypted. ING responded by recalling all employees’ laptops to ensure that encryption software was turned on and couldn’t be switched off. But the fact that the information was out of the office was not itself a violation. ING officials said the adviser had the records because they corresponded to older pension plan participants who were more likely to call him for assistance. The adviser also wanted the data on hand for potential marketing efforts, such as to help decide whom to invite to a finance seminar. Now, in light of the laptop episode, ING is reconsidering whether sensitive data should be allowed to leave the nest at all, even if it is encrypted. Steve Van Wyk, ING’s chief information officer, believes the emergence of ubiquitous broadband connections and secure Web-based business software have made it unnecessary for employees to store private data on portable devices. Not only is that data diaspora a security risk, but it also can be costlier for the company to make sure back-office files and mobile data are in sync, he said. “The ability to control it and protect it may be best if it’s centralized,” he said. “Why even go through the vulnerability?” To a large degree, the problem of personal data floating away with laptops stems from companies’ tardiness in accepting just how valuable the information is. Otherwise such records would have long been treated like product designs, market intelligence and other business secrets that aren’t allowed to leave secure central computers. But it’s not clear this problem will ever go away. Many mobile workers want to keep information “locally” on their laptops so they can work efficiently while traveling, meeting with clients or pounding away in other settings where they can’t connect to a network. That’s why they’re often allowed — even encouraged — to take laptops home. That was the case for an employee of investment adviser Ameriprise Financial Inc. who had 158,000 clients’ account information on a laptop stolen in January. Ameriprise spokesman Steven Connolly said the worker was one of “very few people” in the company allowed to keep that kind of personal data on his own machine. Connolly would not explain what the man — a corporate-level staffer who did not interact with clients — did that required such intimate access. In February, a similar theft hit an Ernst & Young consultant, who lost names, addresses and credit card information on 243,000 Hotels.com customers. Ernst & Young spokesman Charlie Perkins would not say why the consultant needed to hold so much live personal information. Perkins said the firm was confident, however, that its policy of encrypting all 30,000 of its consultants’ laptops — a step that was being implemented when the theft occurred — would prevent future incidents while preserving the staff’s mobility. Even if employees technically aren’t supposed to walk out the door with computers, many will quietly transfer business files to iPods, “thumb” drives and other capacious storage devices, said Sunil Jain, senior consultant for Sprint Enterprise Mobility Inc., the services arm of Sprint Nextel Corp. “It’s much faster to download the data and then do the reports offline,” Jain said. “It’s just human nature.” Jain finds that even though he knows his company’s central servers are supposed to back up key files every night, he does the same on his laptop just in case. He expects that’s a common move, especially since many companies — including his — tend to give increasingly storage-rich laptops to employees whether they really need them or not. |
UPCOMING VIRTUAL EVENTS
Demystifying Cyber Security for SMBs
The continually changing threat landscape requires us to update best practices and add new concepts to keep your organization safe.
SESSION 4: Cyber Security Strategy
Watch On-Demand
SESSION 5: Cyber Insurance & MFA
Watch On-Demand
SESSION 6: Threat Detection | JAN. 15
Microsoft Copilot
Master Class Workshop
eMazzanti will host 60-minute Master Classes, that speak to how AI can help your business streamline and grow.
In each session, you will have Artificial Intelligence and Automation explained, view a live demo of Copilot, and see it live in action in a dynamic format.
RESOURCES
Cyber Security Awareness Hub
Cyber Security Awareness Kit, designed to be delivered to your team in bitesize chunks.
We are sharing the resources and highlighting services your organization needs, covering everything from multifactor authentication to software updates, showing your users just how easy it is to improve their security posture.
Resource Library
Insights to help you do what you do better, faster and more profitably.
> Tips to Stay Protected Against Phishing Attacks
> Understanding Ransomware
> The 6 Known Wi-Fi Threat Categories Targeting Your Business and How to Defend Against Them
> Practical Advice for Avoiding Phishing Emails
NEWSLETTER
"*" indicates required fields