If your workplace offers BYOD (bring your own device) or similar programs where an employee is authorized to bring and take portable computing devices for work-related purposes, it really pays to take a second look at full disk encryption like AlertBoot. Why? Because sensitive information, no matter how much or how hard you try, will end up where it shouldn’t, as Washington University in St. Louis’s recent case shows us.
Unencrypted Laptop with PII Stolen
Washington University in St. Louis (WUSL) has alerted the Maryland Attorney General’s Office that they suffered a data breach when a laptop computer was stolen from one of their employees. As it turns out, the information was limited to business partners and one Maryland resident. As data breaches go, it’s a very small one.
There is no doubt that WUSL did a great job of managing their data. Here you have a data breach that involves personal sensitive data, and instead of affecting hundreds of thousands of people, it affected one. Sure, you have a number of business partners (probably not innumerable), but the letter to the AG implies that only one SSN was breached in this fiasco. In a sense, there was no need for encryption; the breach was not dire enough or big enough.
On the other hand, here you have an organization that is forced to alert the authorities that they suffered a data breach because they missed one guy’s data. What kind of damages, intangible or otherwise, are associated with this breach report? What if the AG decides to investigate the incident, regardless of what the reason might be (political, legal, what have you)? You know, the proverbial camel’s back?
One thing in the breach notification letter that caught my attention was the following passage:
To help prevent something like this from happening in the future, Washington University has re-educated its staff in the importance of handling personal information securely and continues to enhance its information security safeguards.
Education works. It makes people more aware, it changes behavior, and definitely increases overall security levels. But this statement is not true for everyone. You will have people who will sit through the seminars and whatnot because they have to. You will have people who initially respond and engage but start to slowly (but surely) ignore security issues as days turn into months. You will have people in denial (“it happens to others but not me”).
If data security is an issue at the workplace, one must do a little more than educate people, especially when research shows that people are either unwilling or incapable of change.
Behavioral science, for example, shows us that results can change drastically depending on whether one follows an opt-in or opt-out model since people tend to stick with the default settings. For example, if it’s up to the user to encrypt a laptop, then most laptops will go unencrypted, even if people know that encrypting is better.
When such realizations are factored into computer data security, it only makes sense for organizations like WUSL to require encryption (possibly use a centrally managed encryption solution to keep track of encryption rates), and not stop just at educating employees.
Related Articles and Sites: