The Digital Forensics Association has come up with a report showing the impact of missing laptops in the overall data breach landscape. And, while the numbers make a case that targeted hacks are now the leading cause of actual records compromised, that doesn’t necessarily mean that an organization should invest less in data protection tools like full disk encryption software.
Laptops Account for 49% of Breaches and Other Stats
The following was reported by the Digital Forensics Association report:
49% of all reported breaches come from the loss of a laptop
In 95% of the cases the laptop is stolen
Loss of laptops account for 6% of lost records
33% of the laptops are stolen from offices
28% are stolen from vehicles
The leading vector for third-party losses is via missing laptops
Among the recommendations made is that encryption software be used to protect sensitive data on portable storage devices (laptops, external HDDs, USB flash drives, etc.).
It’s duly noted that “organizations that rely on the login password to keep the data safe on a laptop that has been lost or stolen are operating under an inaccurate risk assumption.” That “inaccurate risk assumption” should really be termed “inaccurate safety assumption,” as in people think that they’re safe with the use of password-protection.
6%? That’s Tiny. But There’s More at Play
Six percent is a pretty low figure, I’ll agree. This is the thing, though: almost no one in the general community blames the victimized company when the latter is hacked. The hackers are the bad guys.
When a laptop with sensitive data is stolen, the bad guy is almost never the thief. You read that correctly; that’s not a typo.
Instead, the blame falls upon the person that decided that keeping sensitive data on portable devices was a good idea. Do you realize how many times I’ve read comments to the tune of, “what the heck was my SSN/driver’s license/bank account number doing on a laptop computer?! It should be locked up in an office!”
If your company, organization, or agency has to deal with sensitive data on laptops, external hard drives, and any other data storage device that can be picked up easily and stolen (or even devices that are not as portable, such as desktop computers), disk data encryption should be used. Otherwise, not only do you risk fines and penalties, and having to comply with breach notification laws–you might also take a harder PR hit than if you’re network is breached.
Also, remember: any penalties and fines associated with a breach will pretty much amount to the same, regardless of whether a laptop is stolen or your company is hacked. Why open up a vulnerable spot for yourself by not using the appropriate data security tools?
Related Articles and Sites: