No organisation should be failing to encrypt its mobile devices or removable in this day and age. Yet time and again we see reports of unencrypted devices being lost and then fines being levied.
Encryption is not a panacea, it will not cure every security issue. C level board members, especially the CEO, CIO or CISO, should be worried if their mobile devices and removable media are not encrypted. If they don't know the answer to "are your devices encrypted?" they need to learn fast.
If you run Windows7, 8.x or Windows 10 professional editions or above, you will have access to Bitlocker for free. Similarly, Apple and Linux distributions come with their own encryption capabilities.
In this post I cover some examples of loss of unencrypted data, the impacts & costs, and 3 simple benefits to your organisation if you are unfortunate to lose an encrypted device. As an added bonus there's also an anecdote from a recent investigation I was involved with.
If you take a look through the ICO's web site, you will find an endless list of enforcement actions, it doesn't take long to start finding stories about unencrypted devices or media.
Back in 2010, Zurich was fined over £2m for the loss of an unencrypted disc that contained the details of 46,000 of its policy holders, similarly in 2007 Nationwide Building Society was fined £980,000 for losing an unencrypted laptop containing client data. Both organisations have since improved the way they handle data but their costs were much higher than the fines. I worked for Nationwide for a few years from 2008, and even when I left in 2011 the legacy of the loss of a single laptop still loomed large, it had certainly affected its ability to move quickly with technology and costs to deliver product increased as a direct result of that single loss, this was through the additional governance and reduced risk appetite they adopted. Was this the right approach? It certainly wasn't a wrong approach and reduced their overall fraud levels but, that single loss of a laptop spiralled costs in other areas.
More recently the Historical Society lost an unencrypted laptop, the finding of the report from the ICO can be found here. The ICO has the ability to fine firms up to £500,000 but in this instance fined the society only £500, but the remediation costs will be far greater.
The ICO findings
During their investigation of the Historical Society, the ICO discovered several simple failings:
There was no encryption on the laptop
No policy was in place to require encryption
No policy was in place for remote working
No policy was in place for the storage of mobile devices or media
Each of those items are simple enough to implement and yet none could prevent a theft from happening, however, they would greatly reduce embarrassment to the society, the undue stress and loss of trust to its patrons and the cost to rectify. Likewise, if your business is permitting the use of unencrypted laptops or removable media, you should act now.
The fix is quite simple and we are able to help, but:
Ensure your "at risk" devices are encrypted, it doesn't just need to be your mobile devices and removable media.
Ensure your policies adequately address encryption requirements
Ensure you have policies for remote working
Use recognised encryption standards, nothing proprietary or no longer recognised. To keep things simple, chose at least AES.
What are the Benefits?
The benefits to you, your board and importantly to your clients are:
You retain the trust and confidence from your existing and new client base, yes things unfortunately go missing but if they do, you can assure them their data is safe
When something goes missing, if it is properly encrypted and your policies are in place, it is the difference between a minor embarrassment and potentially a hugely costly affair
If, when asked "was the data encrypted?" the answer is "Yes", the CEO will face little further disruption, the CIO/CISO can keep their job and the investigation will disappear much sooner and at a much smaller cost
Recently I was involved with handling an investigation for a loss of a laptop. The laptop had been stolen during a break in to an employees house. Thanks to good policies and staff awareness, the employee immediately notified the police and provided notification to the company security team. Within minutes it was established that whilst data had been lost, the device was fully encrypted and required a password before getting to the operating system.
As part of the investigation, I spoke to the CEO of the firm involved. During the chat they mentioned how up until that very incident, they had seen the requirements for encryption as a chore and a burden. We spoke further and they said how relieved they were that, whilst the loss due to theft was unfortunate, they could rest knowing that no client information had been potentially accessed, that instead of facing potential fines they were looking at replacing just the hardware.
In this instance had there been no encryption, they may have faced fines from the ICO and the FCA, on top of the fines, each of the firms 20,000 clients would potentially required notification and on top of that, been offered a years credit checking facility at a cost to the firm.
Up until that one incident, the CEO had to face such a loss and had no reason to value the security requirements.
Zurich - http://www.independent.co.uk/news/business/news/zurich-fined-228-million-for-policy-data-loss-2060627.html
Nationwide - http://news.bbc.co.uk/1/hi/business/6360715.stm
Historical Society - https://ico.org.uk/action-weve-taken/enforcement/data-breach-by-historical-society/