Feeds

The human factor in laptop encryption

Lock down the business managers!

Securing Web Applications Made Simple and Scalable

Hardly a day goes by without news of some laptop containing sensitive information about customers or staff getting lost or stolen. The latest high profile example is the Bord Gais burglary in Dublin in which an unencrypted laptop containing the bank details of 75,000 electricity customers was stolen. Hilariously, Bord Gais told the people affected that "data security and laptop encryption is a major priority for us". More practically, it urged the names to watch out for their bank accounts.

Bord Gais is not uniquely incompetent in laptop security matters, as this week’s trawl of the Reg Library shows. Even when laptops are supplied encrypted, many employees will switch off encryption, in defiance of company policies.

Let’s explore this in a little more detail.

The human factor in laptop encryption

This white paper from Ponemon Institute on behalf of Absolute Software is based on a survey of UK business managers and IT security professionals. The results are compared with earlier surveys conducted in the US and Canada, all of which show that business managers are not to be trusted. [So we are paraphrasing, a little.]

A high percentage of business managers share passwords and do not use complex passwords, use a privacy screen shield, keep their laptop physically safe when travelling or lock their laptops to their desks to protect sensitive and confidential data. Also, many respondents believe that encrypted solutions make it unnecessary to take other security measures.

IT security practitioners, by contrast, are more diligent in all areas. Not news. More surprising is just how crap at this business managers are – even reckless. Remember a lot of these guys work in finance.

According to the report 50 per cent of business managers have turned off the laptop’s encryption solution. Thirty three per cent of those who turned off the encryption solution say that this violates company’s security policy and 27 per cent are unsure. Oh dear.

This is a good paper, with lots of bar charts and statistical caveats to keep you company.

Airport insecurity: The case of lost laptops

Ponemon Institute has carved a niche for itself with laptop security, as it is also the author of this paper sponsored by Dell. Laptops in airports are something of an interest here – ever since a US TSA agent dropped our laptop at security clearance and broke the casing. He got a colleague to question me about the laptop and held it in such a way that I could not see that it was broken, before prompting me to put it back in the laptop bag. Who says TSA staff are stupid? Not me. Clumsy, perhaps...

Ponemon rang up 106 big airports in 46 states to discover that Business travellers lose about 12,000 laptops a week in US airports. Not all, or even most, are stolen by airport staff – 40 per cent of losses occur at security checkpoints. But of the laptops that are found, just 33 per cent are reclaimed by their owner. The rest are sold off, leaving “potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors”.

For the paper, Ponemon Institute also interviewed 864 business travellers in the airport environment. And yes, they are concerned that they have confidential data on their laptops, and no, many of them don’t back this data up. And just one in five use disk-based encryption. The paper contains a commonsense checklist of dos and don’ts for business travellers and again, lots of statistics. This is an interesting read, containing no sales pitch. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.