I saw a press release today about the Credant Technologies report, "Mobile Data Breach Report 2006: ‚ÄúWhat’s at Stake? Who’s the Victim?"
Despite the vendor’s view that the results are surprising, based upon the actual incidents that have been occurring, and comments from large numbers of CISOs and CPOs trying to get budgets, the results really are not that surprising. I did not view the actual report and study details; you have to send an email to the Credant folks for that.
Some of the statistics to note that were given in the press release…
- "The CREDANT laptop survey was conducted in July 2006, with emails sent to nearly 17,000 Global 2000 IT professionals. Of those, four hundred and twenty six respondents from around the world completed the questions that make up the final outcome of the survey."
So this is just a 2.5% return on the survey. The actual demographics were not given either, and that is definitely a significant consideration for the findings. However, there is still points to note within the resulting data.
- "88% of respondents know that volumes of sensitive data resides on mobile devices; 72% state that encryption is required for compliance, yet less than 20% have implemented encryption."
This points to problems with non-support of policies by executives, and no sanctions for noncompliance. Business leaders need to realize that their policies will not be effective unless they clearly and actively support and enforce them. They must also know that having policies that are not enforced will hurt their organization in any litigation they get into that can be related to the policies. For example, as a result of an incident involving PII; which organizations should consider is a very likely possibility with "volumes of sensitive data" on their mobile computing devices.
- "52% of respondents state that personally identifying information such as Social Security, driver’s license numbers and financial, medical or other confidential personal information is stored on mobile devices. While 62% stated that up to 25,000 accounts would be impacted if a laptop were stolen, 30% percent reported that between 25,000 and 2 million accounts would be impacted; and 5% had no idea of how many accounts were vulnerable."
Why do organizations continue to allow entire databases of personally identifiable information (PII) to be loaded onto mobile computing devices and storage devices? Where are their access controls? What are the real reasons they continue to allow such vulnerable data to be loaded onto these devices? It seems access control has gotten very lax over the past decade as the numbers and types of information sharing technologies have exploded. It seems trying to keep a handle on maintaining access control, and enforcing minimum required access to data that so many regulations require, is just too mind-boggling to try and manage, resulting in a virtual PII gone wild onto enterprise laptops, PDAs, USB thumb drives, and other end-user-controlled technologies.
If there is a legitimate business need to copy such huge amounts of PII onto mobile computing devices, then companies must encrypt them not only to provide protection to the PII, but also to demonstrate due diligence.
I think the 5% number not knowing is way low; I believe that a much higher percentage of companies do not really know where all their PII resides. It is important to have a policy against copying PII to mobile computing devices, but you also have to implement procedures to check, in one more more ways, on an ongoing basis, where PII truly resides to ensure the policies are being followed.
- "However, when asked to identify the top three reasons why encryption, considered the primary data privacy and protection option was not implemented, the number one reason cited by 56% of the respondents was lack of funding. The second place response by 51% of the respondents was that encryption was not an executive priority. Limited IT resources was cited by 50% of the respondents as the third obstacle in getting the job done."
Yes, I hear lack of funding often. If there is no money for encryption, though, business leaders must find a way to keep PII off mobile computers.
Information security and privacy due diligence is not free.
Another very effective activity that businesses need to do that is comparably inexpensive, but still they do not do enough of, even though it probably has the greatest positive impact on information security and privacy, is providing ongoing information security and privacy awareness and training to their personnel.
Technorati Tags
information security
IT compliance
policies and procedures
laptop security
encryption
data breach
awareness and training
privacy