Dealing with lost or stolen assets

Update to include brief article in Network World that was posted recently (here)

Hundreds of thousands (probably millions, maybe even billions – who knows) of devices are lost or stolen every year, and the number will continue to increase as more of the population adopts mobile technology, taking the workforce outside of the control of IT. These devices contain a rich offering of information for the consumption of deviants and those who just stumble upon the data. Even if the corporate intellectual property has been scrubbed, the email contact list and inbox information could be a gold mine for someone.

Of course there has been no shortage of high-profile laptop loss events, from academia to the federal government to financial services to presidential candidates to security auditors, every industry has fallen prey to opportunistic as well as orchestrated thefts, and with the thefts comes the inevitable series of disclosures. Some disclosure statistics put the price of notification at around $100/ per contact, not including the damage to the company and brand. It is an issue that should be top of mind for all organizations, yet so few have properly implemented a method for limiting the impact of lost or stolen assets.

The first thing to realize is that losing the device itself, the hardware, is hardly the issue, insurance can replace the material stuff easily enough. However the information the device stores is the problem, most organizations have no idea how data is accessed, stored and where it travels when it moves in and out of organizational control. Very few have implemented process and controls over the flow of data in and out of their environment and even less have any visibility into the data that resides on machines that are stolen, or their security state for that matter.

Information Security needs to be about securing information

Only recently has the impetus to secure applications and data driven organizations to refocus their efforts on the critical assets, the data itself, which forms the foundation of most organizations DNA. For the most part information security programs have been focused on securing systems and the networks they support. However an increasingly hostile and financially motivated threat environment, targeting the theft of data and services, coupled with breach disclosure laws are forcing organizations to rethink their security measures.

If we are to move away from the constant barrage of information leaks, the orgy of disclosure that marked the changing tides in information security through 2006, information security programs must evolve from simply defenders of hard assets to securers of information. Data security becomes extremely difficult, however, against the backdrop of a more mobile workforce.

The war for data security is not lost, new technologies and processes can effectively prevent significant loss and dramatically lower the damage potential, but IT must adopt a program that embraces data security and stop fooling themselves into believing that traditional measures will protect them evolving threats.

Advertisements

3 thoughts on “Dealing with lost or stolen assets

  1. Did you see the new technology offered by Alcatel-lucent that allows IT to locate and remotely kill a lost laptop – even if the laptop is turned off?
    see the link above.

  2. Previously IT security in the commercial space concerned itself mostly with the issues of integrity and availability to ensure accuracy and timeliness in making business decisions.

    In a post-Enron compliance world, coupled with privacy concerns, the emphasis seems to be growing on the confidentiality of data, the third element of the triad.

    Defense organizations used expensive and complex specialized systems to achieve this, as confidentiality was their main goal. These systems were non-starters for the business world, who made due with network security, as historically, the conventional response to repel the invader hordes has been perimeter security.

    The question to me might be not whether network security can adapt to provide confidentiality, but whether multilevel security and trusted computing can adapt to meet the needs of business.

  3. Pingback: Security Insights Blog » Data Wanders… So Information Security Needs to Become More Mobile

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s