“If you encrypt your data ... you are making it much more difficult for someone to take advantage of that data,” Loveless says.
Encryption is not hassle-free, Loveless notes, but organizations that build encryption into their security plan will see benefits. “It’s a very good habit to get into,” Loveless says.
There’s no shortage of companies working to make encryption easier when storing files, among them NeoScale and Decru. Both make appliances that encrypt data before it reaches the storage medium.
“Encryption is one obvious solution” to the Bank of America and Ameritrade incidents, says Dore Rosenblum, vice president of marketing at NeoScale. “If the data had been encrypted, we probably wouldn’t even know about it.”
Frank Slootman, CEO of Data Domain, a disk backup company that also builds storage appliances, thinks the entire backup process should be re-engineered. “Companies should begin looking at replacing tape storage, compressing and encrypting the data, and sending it on the network,” he says. “Companies should get out of the business of making and handling tapes and then shipping them to different facilities…. The technology is there to reduce the risk of lost or stolen tapes to a minimum,” he says.
Lock down physical security
In March the University of California, Berkeley, notified more than 98,000 graduate students and applicants that their names, Social Security numbers, and other personal information fell into the wrong hands when a laptop was stolen from a “restricted area” of the graduate division offices. Not long after that incident, a San Jose, Calif., medical group reported stolen two computers that contained confidential medical information on about 185,000 people.
Ken Dunham, director of malicious code at iDefense, a security intelligence firm, asserts that keeping a grip on physical security has become much more difficult with the growth of mobile computing, adding that “the number of laptops left in taxis and airports is very high.”
According to BindView’s Loveless, thieves are most likely to steal computers for resale value. “Laptops are so powerful these days that they bring a good price and they’re easier to carry than a DVD player.”
Jim Stickley knows all about computer theft. To him, notebooks are child’s play. “I’ve carried entire servers out the front door,” he says. Stickley is not a computer thief; in fact, he is co-founder and CTO of Trace Security, a security software and consulting firm.
Companies hire Trace Security to perform vulnerability audits, using guise and subterfuge to gain access to banks and company offices.
“Once you are inside a facility, once you get past the front line, the security seems to fall apart. Once you get inside, you are just as trusted as any employee,” Stickley says.
Much of that lack of security can be chalked up to changes in the working environment in the past decade, Stickley says. “There are so many new employees and temporary employees in companies that it is very easy to get into an office and have free reign.”
To prevent thefts similar to those at the University of California, Stickley recommends strict monitoring of everyone who enters and leaves a building. “Chaperone [guests]. If people come in pairs, don’t let them split up. If they complain, just say it’s corporate policy,” Stickley says.