September 27, 2013 –
Another day, another breach. If it appears to you that data breaches are becoming more commonplace, don’t doubt your observation, because they are, and they are increasing at an alarming rate. Making matters worse, the costs surrounding a data breach are increasing as well. Now, while a portion of such an increase can be attributed to the directs costs resulting from non-compliance with HIPAA, HITECH, and state privacy laws, not to mention the Data Security Standards of the Payment Card Industry, the loss in customer confidence represents an indirect cost that can have long lasting ramifications on a business.
So, despite being aware of the risks and ramifications concerning ineffective information security, why do we continue to see breaches occurring at a disturbing rate? The answer rests in the changing landscape in which businesses currently operate.
A Changing Landscape
People love their mobile devices. Flash drives, portable hard drives, tablets, and smartphones – how did we ever live without them? Ubiquitous information has transformed the way business is conducted, but at the same time, it has transformed the manner in which information is to be kept secure.
Never before could the loss of just one device result in the loss of a business, but that is the risk that accompanies the devices which we have come to rely upon. It is for this reason that, although defense-in-depth is preferred, the encryption of portable devices is a must in today’s world.
Why the wait?
If encryption is in fact so important, then why do companies continue to disregard such a key control measure? One answer to this question lies in the common misconception that encryption is nothing more than password protection.
To better understand why this notion is misconceived; imagine that you have a document that you wish to keep secure. If you were to password protect the document, then you would simply place it in a case and lock it with a combination lock. Now, if the lock is bypassed, then the document would be available to the perpetrator.
But, if you were to encrypt the document, then you would translate the document into a code that only you can decipher, place it in the case, and lock it with a combination lock. Therefore, even if a perpetrator breaks the lock, the document would be useless to them. Remember, locks keep out only the honest. As such, they should be viewed only as a first line of defense, with encryption being the fail-safe.
Key Benefits of Encrypting Portable Media Devices
If you are still hesitant to utilize encryption, consider these four key benefits that are provided through the encryption of portable devices:
- Security is on the data itself, not the device.
- Ensures that data stays secure when it is most vulnerable – off your company’s premises and out of your control.
- Represents a last line of defense against unauthorized access.
- Fulfills numerous regulatory compliance requirements.
Therefore, as a last line of defense that protects your company’s information when it is most vulnerable, the encryption of portable media devices is one of the few slam-dunks in security that can limit regulatory recourse.
- As information becomes increasingly mobile, the need to protect such information becomes ever-more important.
- While the encryption of portable media devices provides excellent protection against unauthorized access, it is only one piece of the security puzzle.
- Security is a process, not a product. As such, a holistic approach is encouraged to ensure that your information and your business stay protected.
If you are unsure that your business is adequately protected, our Information Security Baseline Review is an ideal starting point for answering all of your questions, and providing you and your key managers with a basic education of both the threats your company’s information faces and what practical approaches you can take to protect it.
Remember, a false sense of security is worse than being unsure. We have a variety of tools and resources to help you. I encourage you to call to take proactive action.
About the Author
William Prohn CISSP, CISA, CGEIT, CRISC
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.