Unencrypted Laptops and Portable Storage: How to Determine If You Are at Risk
In the past, sensitive data was always stored in hard copy form in one centralized location. Loss of crucial information by organizations and individuals has become widespread due to the increased use of laptops and portable storage devices.
Organizations and individuals have had sensitive data exposed as a result of the information being stored in devices that are mobile and can easily be lost. The loss can be due to attacks by criminals with malicious intent or it can simply be caused by human forgetfulness. Additionally, portable storage has allowed data to be shared between computers and mobile devices which provide an easy opening for a malware infection to spread among the machines, as well as the networks where the data is being released.
How to Determine If You Are at Risk
Every organization has some kind of policy in place to secure sensitive information. However, with the increased use of technology, some organizations fail to employ active controls to ensure that technology such as laptops and portable storage contain some type of encryption for preventing the risk of exposing sensitive data.
To determine if you are at risk you should find out if the organization takes the following security measures:
- Transfer of Confidential Data: Find out if the organization has a policy in place that covers the transfer of confidential information onto portable storage or laptops. There should be specific rules and regulations in place for this type of data transfer and data security.
- Encryption: An organization that uses multiple portable devices such as laptops and mobile storage should have some type of encryption system installed within the devices.
- Tracking System: The organization should have a system in place that tracks access to confidential information. The system should also be capable of identifying when inappropriate access has occurred.
- IT Asset Disposal: When upgrading to new technology the organization should have an IT asset disposal policy in place, as well as a policy for wiping out data on portable storage devices that are being disposed of. Generally there is a standard protocol that organizations are required to follow with regard to IT asset disposal. Find out what the policies are and make sure they are following them.
- Written Security Policy: There should be an established data security policy that outlines the guidelines for using laptops and portable storage devices. The policy should include rules that pertain to the encryption of data on laptops and portable storage devices. The policy should include who is authorized to use the portable devices, the type of data that can be stored on them, and where the portable devices can be used.
- Notification Safeguards: There should also be a policy in place that requires notification to be provided to technical personnel when confidential data is transferred to portable storage devices or laptops. This policy encourages encryption for full disk and partial disk applications.
- Decryption Methods: Encryption keys should be limited to a specific set of individuals and should not be an organization-wide policy. This includes strict enforcement of key sharing rules.