Since Eric Lundquist wrote his story on losing laptops with confidential data back in 2006, not only is the problem not getting better-it may even be getting worse.
Back in 2006 during a rash of news about execs losing their
laptops with confidential data, I wrote an article titled, "Lundquist's Guide to
Not Getting Fired for Losing Your Laptop
." I was sure that stories such as mine combined with the opportunity for
vendors to make some money by adding encryption and additional layers of
security access and using hosted (today, called the cloud) data storage would
push this serious problem to the margins.
It is now nearly three years later, but has the problem
receded? No, and no again. In fact, I think it may be getting worse. Here's my
evidence. Recently I attended a briefing from PriceWaterhouseCoopers, where the
company presented its findings from its 2008 Global State of Information
Security study. PWC has been doing this study for 10 years, this one gathering data
from about 7,000 senior C-level execs from 119 countries. This is no quickie Web
poll, but a study with a history and some science behind it.
I guess I'd expected to see something like 80 to 90 percent
of companies engaged in encrypting laptops, databases, file shares, backup
tapes and removable media. I was really wrong. Here are the percentages of
survey respondents that have implemented these technologies: laptop encryption:
50 percent; database encryption: 55 percent; file share encryption: 48 percent;
backup tape encryption: 47 percent; and removable media encryption: 40 percent.
But wait, it gets worse. If I were going to write that guide
today, I'd focus more on handheld devices, which are due for some major data
leakage crime stories. How many respondents have implemented security standards
for handheld and portable devices? That would be 42 percent. How many have
established security standards for cellular/PCS
and wireless systems? That would be 40 percent.
Ouch. That doesn't even get me into cloud computing. In
cloud computing, you can hear lots of talk about uptime and cost savings, but
very little on who is responsible for the data in the cloud and how those cloud
companies are guaranteeing and assuming liability for data security. And that
doesn't even touch on social networks, hosted e-mail and all the other myriad
ways data proliferates and wanders about corporations these days.
At this point, I'd say companies are losing the battle on
data security. Your best bet, in my opinion, is to focus on the data that is
absolutely vital to your company and make sure that is locked down and
available only to authorized users.
For more on the PriceWaterhouseCoopers, study go here