Update to include brief article in Network World that was posted recently (here)
Hundreds of thousands (probably millions, maybe even billions – who knows) of devices are lost or stolen every year, and the number will continue to increase as more of the population adopts mobile technology, taking the workforce outside of the control of IT. These devices contain a rich offering of information for the consumption of deviants and those who just stumble upon the data. Even if the corporate intellectual property has been scrubbed, the email contact list and inbox information could be a gold mine for someone.
Of course there has been no shortage of high-profile laptop loss events, from academia to the federal government to financial services to presidential candidates to security auditors, every industry has fallen prey to opportunistic as well as orchestrated thefts, and with the thefts comes the inevitable series of disclosures. Some disclosure statistics put the price of notification at around $100/ per contact, not including the damage to the company and brand. It is an issue that should be top of mind for all organizations, yet so few have properly implemented a method for limiting the impact of lost or stolen assets.
The first thing to realize is that losing the device itself, the hardware, is hardly the issue, insurance can replace the material stuff easily enough. However the information the device stores is the problem, most organizations have no idea how data is accessed, stored and where it travels when it moves in and out of organizational control. Very few have implemented process and controls over the flow of data in and out of their environment and even less have any visibility into the data that resides on machines that are stolen, or their security state for that matter.
Information Security needs to be about securing information
Only recently has the impetus to secure applications and data driven organizations to refocus their efforts on the critical assets, the data itself, which forms the foundation of most organizations DNA. For the most part information security programs have been focused on securing systems and the networks they support. However an increasingly hostile and financially motivated threat environment, targeting the theft of data and services, coupled with breach disclosure laws are forcing organizations to rethink their security measures.
If we are to move away from the constant barrage of information leaks, the orgy of disclosure that marked the changing tides in information security through 2006, information security programs must evolve from simply defenders of hard assets to securers of information. Data security becomes extremely difficult, however, against the backdrop of a more mobile workforce.
The war for data security is not lost, new technologies and processes can effectively prevent significant loss and dramatically lower the damage potential, but IT must adopt a program that embraces data security and stop fooling themselves into believing that traditional measures will protect them evolving threats.