The New Security Realities of the Laptop Computing Era – Part 1
by admin
There’s no doubt that today, the use of laptops in business is nearly ubiquitous. Laptops began outselling desktops in 2008 and the number of laptops sold over desktops continues to increase. Research shows businesses’ use of laptops has risen from an average of one in every five PC users in 1999 to one in three today. That figure will pass the 50% mark in the next few years. So what this means for businesses:
- Every laptop is a standalone storage device, meaning there can be tens of thousands of individual storage devices throughout an organization.
- Every laptop, therefore, is a repository for sensitive or confidential information, whether you’re talking about documents stored on a hard drive or simply emails in an Outlook client.
- Every laptop that connects to an enterprise network represents a possible network security threat.
- If someone gains unauthorized access to a laptop, there’s the potential for that laptop to be used to hack a network without the security team ever knowing.
In an effort to solve these challenges, IT departments have turned to security methods and technologies that, in many ways, exacerbate the problem. The clear and present security danger of the laptop computing era is one of data protection.
In this article we will drill down further on the challenges and potential solutions to this problem. In a subsequent article, we will discuss the new realities of controlling information access from laptops connected to corporate networks, and outline cost effective challenges for solving that dilemma.
The Cost of Failure
The dramatic increase in the use of laptops puts enterprises at significant financial risk. According to the Ponemon Institute, business travelers lose more than 12,000 laptops per week in U.S. airports .
A 2011 study by Ponemon Institute reported the cost of a data breach is an average of $7.2 million per incident, about $318 per compromised record. The resulting adverse publicity from a breach may also result in lost business, estimated to represent more than half of the ultimate cost.
Not protecting data in laptops can lead to expensive fines and loss in revenue. Congress is considering a bill to force all persons or organizations involved in interstate commerce to disclose any breach of Personally Identifiable Information (PII) immediately, with a penalty of $1,000 per record, per day, up to $1 million.
Look Who’s Watching Now
Enterprise security used to be the sole domain if IT. They identified the problems, chose the solutions, and reported a company’s security posture to the CIO. In today’s enterprise there are more eyes than effort scrutinizing a company’s IT security practices and policies.
In 2001, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board issued The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit (SAS 94).
This standard requires financial auditors to consider information technology as part of overall internal control. Auditors must understand applications and systems in assessing risk and evaluating the integrity of financial information.
This means that the concerns for information security are not only an issue for the IT department, but can be raised all the way up to the level of the Board of Directors. Because of this, both security and financial auditors are enforcing stronger data protection policies to comply with SAS 94.
Laptop Data Protection
To meet the information security standards of both security and financial auditors, companies are challenged to secure data stored on endpoints and ensure only authorized employees have access in the event a laptop is lost or stolen.
Oftentimes, this leads to organizations patching together multiple different technologies to secure their data, access and communications. However, this approach consistently leaves IT administrators with security holes that cannot be patched, and solutions that cannot be adapted to quickly address new threats.
Physically securing information on laptops can be achieved in two primary ways – using strong authentication to control access to the computer, and using full-disk encryption to safeguard the data itself.
Ideally, these combined protections would have a unified central management system.
Strong authentication for laptops can come in many forms. The type of strong authentication that an enterprise chooses should mirror the requirements of the company, and integrate seamlessly into the company’s overarching security infrastructure. For instance, if a company has deployed smart cards for both physical (building) and logical (computer) security, this added layer of security should be extended all the way out to the laptop computers.
If a company has chosen to use strong passwords, the company might also consider tying those passwords to a biometric authentication system. This eliminates the need for users to actually remember the longer passwords, preventing the need to write them down (security risk) or constantly forget them (IT helpdesk cost).
Laptop access is only the first layer of security. Comprehensive laptop security must include full-disk encryption. Encryption makes data unreadable to anyone except those with a key to unlock the data. Information is protected even if a thief pulls out the hard drive and tries to access it using another computer.
Organizations that have deployed full-disk encryption have been able to reduce the number of breach exposure incidents experienced in the last 12 months by 84 percent . By deploying a centrally-managed solution that takes advantage of multiple strong authentication options, such as biometrics, IT managers can make sure only authorized employees can access the network, sensitive data and critical business applications. IT managers can easily manage the access of a stolen laptop and recover any critical data stored on the device.
From Data Protection To Access Control
The increase of laptop use in enterprises has changed the game of security, impacting how auditors evaluate security.
Today, auditors are enforcing encryption policies and procedures more stringently than ever to ensure corporate records have not been compromised . Financial auditors are not only pressuring corporations to protect data stored on laptops, they also want to know who is accessing the network from mobile endpoints.
In my next article, Part 2 of New Security Realities, I will provide an in-depth look at the issues of access management and what companies can do to comply with new mandates.
This is part 1 of a guest article series from Fabio Santini, who is Product Marketing at DigitalPersona Inc.
Related posts:
- Tablet, Laptop or Desktop. How do you pick the one that’s right for you?
- How To Buy a Used Laptop: 5 Key Tips
- What Are The Most Common Problems That Affect Corporate Laptop Users?
- 16 Benefits Of Thin Client Computing
- How Mobile Computing Will Force Enterprises To Rethink Their Encryption Policies And Practices
