Laptop security – done the right way
The risk is there, the numbers don't lie. One of every ten laptops will be lost or stolen in its lifetime.
The FBI reportedly has as many as three or four laptops lost or stolen monthly. Laptop theft increased in 2006 by 81 percent when the thieves realized that the data on the hard drive was often more valuable by far than even the nicest laptop. More security breaches result from lost or stolen laptops than hacking.
Make no mistake about it, the risk is there. Furthermore, unless you have adopted some "comprehensive, centrally manageable security procedure that involves whole disk encryption," then your firm is at serious risk.
Most states – in fact 45 – in the U.S. now have security breach notification laws. Even if your state does not have such a law, you are bound by the laws of these other states if you have confidential information on customers, clients, employees, or others in your possession and any of those people reside in other states. If this information is lost or stolen, you must comply with the laws of those states where the person or entity resides.
For a CPA firm, losing a laptop with even with just a few client QuickBooks data files could result in hundreds of notification requirements. For example, think of all the employees of all those QuickBooks companies. Their Social Security numbers are in the QBW file that can be easily cracked with a $39 piece of software (e.g., "QuickBooks Key"), and they will all need to be notified.
Cost to notify, loss of current and future clients, embarrassment and failure to have acted with due diligence are all thoughts that will go through you mind if such a breach occurs and you are at the helm. Severe fines and penalties may also result. Under the Florida Security Breach Notification Law, for example, failure to properly notify within 45 days will result in a fine of $1,000 for each day the breach goes undisclosed for up to 30 days and, thereafter, $50,000 for each 30-day period or portion thereof for up a maximum fine of $500,000.
The solution is simple. You must have whole disk encryption for all laptops that will or potentially could contain confidential information. This functionality needs to be centrally managed to assure that it is done consistently, without the need for intervention or management on the end users' part. Furthermore, it must be done in such a way that it can be documented and proven to regulatory and other legal authorities (for instance, in compliance with "Red Flag" laws) that you have acted with due diligence and adequately safeguarded confidential information. Even more important, you must be able to show that you have adopted adequate controls to prevent the loss of confidentiality of this information.
There are numerous high quality solutions available, including from Microsoft's the BitLocker solution, which is a very good fit for their server databases and may be a good fit for end-point security if managed properly. Other key players in this market include PGP Desktop (perfect 5.0 review by PC Magazine's May 21, 2009, issue), Symantec Endpoint Encryption, McAfee Endpoint Encryption, TrueCrypt and literally hundreds more.
The ability to centrally manage the data on these laptops is critical to success. Without that feature, you will not have the ability to prove to authorities that you have successfully protected confidential data in the event of a laptop loss of theft.
The following are some features you should look for in evaluating centrally managed solutions:
- Central control of all confidential data. This can include automated procedures such as remote shredding of all data on a machine once a machine identifies itself as being stolen. This could be triggered in a number of ways, including failure to check in within a certain number of days or making an IP connection and finding out from the home server that it is in fact stolen.
- Ability to escrow keys of employees so that documents are not lost if the employee leaves or is fired. This is also useful in helping employees recover their keys when they forget.
- Strong support for tokens, biometrics and other second factor authentication technology
- Ability to encrypt the entire contents of a laptop disk (FAT16, FAT32, or NTFS), including temporary files and the Windows swap file.
- To avoid any loss in productivity, you need a solution that provides safe and authorized movable storage use, without changing the user experience. This usually does not mean going with what may appear in the short run to be the less expensive solution that still gets the job done. Cheaper solutions (TrueCrypt for example, is free) may contain exceptional technology but, without support, good documentation and a well designed user interface and user experience, will cost you much more in the long run in lost productivity.
- One solution should work for all mobile devices, not just laptops.
- All your users will now have their own digital signatures. If they already have one or more digital signatures they should be about to manage them without issue all seamlessly within the one solution.
- A free global directory service that registers public keys for any user.
In discussing the liability of a business in failing to prevent customer data from being compromised, Dennis F. Dycus, CPA, CFE, director of the Office of the Comptroller, State of Tennessee recently made the following statement:
"If their systems were accessed illegally and such information downloaded, if they could not demonstrate that they had acted in good faith in trying to protect such information, in my opinion they could be held liable."
Unless you employ a solution like PGP Endpoint Device Control, it is not likely you will be able to, in the words of the gentleman from Tennessee, "demonstrate that you acted in good faith in trying to protect such information." After all, there are many well proven, cost-effective solutions. Red Flag laws appear to make adopting such a solution mandatory.
Do you want to read more articles like this? We have an archive of Brainstorming, Humbling Moments and other articles that might interest you.