Transcend Capital has alerted the New Hampshire Attorney General that one resident of that state has been affected by the loss of a laptop computer. Surprisingly, the computer in question was not protected with disk encryption like AlertBoot, an unusual circumstance when it comes to financial companies.
Laptop Stolen from Office
According to the letter, the computer was stolen on October 31st. An employee working out of a Dallas branch stepped out from his office. When he returned, he found that someone had stolen his laptop. The device was not physically affixed to his desk nor was encryption software used to protect the computer’s data, which is against company policies.
The stolen laptop contained names and account numbers used at the Transcend Capital. A relative minority may have had their Social Security numbers compromised.
The firm is reminding all employees about securing their laptops to their desks or other immobile fixtures. Which is weird, because, are we seriously talking about data security here? Because, it seems to me that they should be emphasizing the encryption aspect, not the cable-lock aspect of things.
The Security Value of a Cable Lock v. Encryption
Don’t get me wrong: physical security is important. I’m certainly not saying that one should concentrate on data encryption at the expense of physical security. However, between doing that and concentrating on physical security at the expense of encryption, I’d strongly argue against the latter.
It only makes sense from a value point. First consider this: which one is easier to break? Cracking encryption takes the efforts of an agency like the NSA, the National Security Agency. If weak encryption has been used, it still takes anywhere from a day to a couple of months (or more), depending on the encryption and the cracking (or “recovery”) service that you use. A cable lock? A $20 bolt cutter and 5 seconds suffices.
Also, you have to take into consideration the additional values each solution brings. The use of encryption, for example, generally tends to bring with it a safe harbor clause from state, federal, and professional organizations and agencies. The use of a cable lock? Maybe you’ll get a thank you note from Lowe’s.
Why Leave Encryption to Employees?
Perhaps the most puzzling aspect of the notification letter is that, apparently, encrypting laptops is up to the employees. At least, that seems to be the implication. The last time I checked, this might not be a good idea.
There is the obvious problem that an employee might not do it, policy or not. Violating policies is not unheard of, be it out of spite or ignorance.
Plus, take into consideration what an employee has to go through: the employee has to evaluate whether the encryption solution lives up to its name, install it, and ensure that he keeps a copy of the encryption key. This is not for those who are semi-computer illiterate.
It seems to me that Transcend could use a solution more akin to AlertBoot endpoint security. It’s disk encryption, yes, but it’s cloud-based. It’s easy to distribute the encryption program (over the internet); the encryption keys are automatically backed up to the cloud; and an administrator gets a central console from which to manage encryption and run audit reports.
In a decentralized work environment, it still makes sense to centralize certain aspects of your organization.