July 08, 2008, 10:33 AM — When Redemtech commissioned the Ponemon Institute to study data breaches last summer, they confirmed something we all probably understood: most breaches result from the loss or theft of a data bearing asset, often a laptop. They also confirmed that a large majority of surveyed companies have existing policies to govern the handling of data bearing equipment once it is taken "off the wire," or off-network. Not anticipated was that a majority of companies report doing nothing to measure or govern the effectiveness of those policies.
These five steps will take you from knowing better to doing better.
Identify a means for measuring and managing
Almost a third of respondents to the Ponemon survey said they would never be able to identify the loss of a data bearing asset -- a legal obligation for privacy regulated companies. Ideally every company will have an inventory database of record for asset management. In fact, many organizations operate from fixed asset ledgers, which are not appropriate tools for managing inventory. Those who lack an accurate asset repository should maintain inventory lists by location and put processes in place for recording additions and decrements to the list. Inventory lists should be routinely verified by physical counts.
Secure idle inventory
Assets at rest are assets at risk, and most losses occur inside company facilities. Allocate a secure area for storing idle inventory. Never stage transitional assets in hallways, conference rooms, or the convenient storage area. Lock them up and update inventory lists to reflect the new location. Take periodic cycle counts of storage areas and be assertive in reconciling discrepancies when they are found.
Encrypt as much as you can
Full data encryption is the best practice for protecting off-network data, but only about 25 percent of companies report that their desktop infrastructures are encrypted. Mixed environments are the most difficult to manage because of the extra care required to segregate encrypted devices from the unencrypted. Note that even encrypted data must be sanitized at end-of-life.
Hold people accountable
The Ponemon study found that most losses resulted not from dishonesty, but from a simple failure to follow established policy. Management must communicate that security is a priority, and must insist that everyone follow established procedures. The keys to real accountability are regular inspection of conformance to procedure and painful personal consequences for anyone who ignores the rules.
Create an audit trail
Humans will inevitably make mistakes, but with adequate documentation, those mistakes -- inventory variances -- can often be corrected. Suspected hardware losses are usually due to simple paperwork errors. When good records allow missing assets to be quickly located, privacy regulated companies can avoid the incredibly expensive process of managing a data breach.
IT organizations that adopt rigorous off-network security discipline, following these five steps, will soon find themselves less vulnerable to data breaches. Getting from knowing better to doing better only takes a little willpower.