It seems that virtually every data loss being reported in the press at present, where the loss occurred through exposure of physical media to an unauthorised party, relates to portable data storage devices - USB sticks, CDs, and the like.Riskmonkey is getting used to the standard response put forward by companies who think their data cannot be exposed in this way: "Oh, we're not worried. All our USB sticks are encrypted".
Of course, they couldn't be more wrong.
It's not hard to see why organisations think encryption is a good control. It sounds like your data is secure. Even if it's lost or stolen, you can tell people their data may still be secure. You can say you took precautions, that you understand their concern and put controls in place to keep their information safe. What you can't do, however, is tell them their data is safe. It almost certainly isn't.
Riskmonkey has a simple view of encryption. There's no harm in it, but it ought to be the last line of defence. If you do have to defend yourself against 10,000 heavily armed savages, even a stick is worth having. It will make you feel better, but it probably won't save your life. What you need is an army, and if you get the controls right, you've got one - it's your colleagues. Get them wrong, and you've just got so many dead bodies for the savages to trample over on their way to you.
Over-dramatic comparators out of the way, here are Riskmonkey's top reasons why even encrypted data is not secure:
- Your encryption may not be very good. 'It's encrpted' doesn't really mean much. I can encrypt this article by moving each character one to the right on the keyboard. It wouldn't take a second for the average intelligent 14 year old to crack it (in a future article, I'll go into this in more depth and explain what encryption works, and what doesn't).
- Your password may not be secure. Take the Yorkshire Building Society, who recerntly left the password to a laptop containing thousands of customer records with the laptop. It was stolen - data, passwords and all.
- Your password may be no good. Let me guess: your company name? your mothers maiden name? replace a character with a digit? If I'm still locked out, I bet it won't be for long. Companies can't enforce password standards on encrypted disks in the same way they can on networks, so passwords tend to be weak
- It's probably not your USB stick, anyway. You gave some out to your staff, but the encryption was annoying so they used one they got free with a box of cereal.
- You don't know what data is on it. Most people use USB sticks as a growing repository of random information they 'might need to share' at some point in the future. You may think its 1,000 customer names and addresses, but are you sure 50,000 account records weren't put on it last year?
- You don't know where it's been. When you get it back, you won't know whether it;'s been accessed or not.
- Even encrypted data can be copied for later decryption. You may get the USB stick back, but you won't know where else the data might now be.
- You don't know who's using them. Be glad you found out about this incident. There's a fair chance the last 10 employees to lose a USB stick didn't report it. Would you - really? If a CDs gone missing in the post, how did you find out? Chances are the recipient reported it missing. There's no obligation for them to do that, and no reason why they have to tell you first.
- Did they need the data in the first place? They may have needed some of it - but did that systems test really need full customer histories on all accounts - or would an anonymised sample have done the job? If people within your company have data they shouldn't have, it would be a good idea to sort that out, first.
- It's probably too late, anyway. The problem is that you lost the data, not that someone else has obtained it. You need to controls to make sure you don't lose it, rather than controls to stop someone else taking advantage.
Next time, watch out for our article on the top controls you can implement in your company to keep your portable data secure.