Judging by the numbers, Apple iPods waited under seeming acres of Christmas trees and in the gleam of many a menorah this past holiday season. A record 14 million of the portable music players were sold in Q4 alone—up from 4.5 million in the same quarter of the previous year—which sent a new horde of workers to offices each day with portable hard drives stuffed in their purses and coat pockets.
“Back in the old days, when there were just mainframes and dumb terminals, nobody had to worry about the data being taken outside the security walls or the perimeter of the company. All you had to do was put locks on the front doors, post a guard and things typically didn’t leave the building,” says Walter Loiselle, VP of operations and technology for Utimaco Software, an enterprise data security provider in Foxboro, Mass.
Today, iPods, cell phones, laptops and even USB keys—or jump drives, as they’re commonly called—add to the ways that employees can inadvertently, or even intentionally, threaten the security of an enterprise’s data. “Nowadays, if somebody has a cell phone, it can contain a download of company information from a PC, but also just be a cell phone. How does a company deal with that?” poses Loiselle. “You need to protect all of the different media types that are out there, whether it’s laptops, jump drives, PDAs or other mobile devices. Companies also have to be leery about both internal and external [risks]. External would be theft and loss. The person didn’t mean to lose it—it was an accident; somebody stole my laptop; I lost my jump drive; my PDA fell out of my pocket. Then you have internal, where it’s intentional. Where somebody who works within the company has access to company information and they do something malicious with that information. And still, you can only go so far, because the company still needs the employee to be productive.”
One way to protect data is with Utimaco’s SafeGuard Easy disk encryption software, of course, but Loiselle offers a few tips and tricks that could also make a difference. The first thing, he says, is staff awareness. “Make sure that people know what’s going on and they don’t do anything unintentional because they lack the knowledge. The second thing is, [in regard to] mobile devices such as notebooks, use strong passwords. Some people never shut down their machines—they put them in standby mode. Well, standby’s not secure. Make it hibernate and use an encryption product. Because if you’re in standby, I can open up your machine and get all your data. Make encryption automatic. Restrict people from being able to use plug-and-play devices. Shut off your Bluetooth, things like that. Then the third one, which also addresses Bluetooth on the PDA, is, if you use a PDA, make sure you know what’s going on around you. Use strong authentication to get into your PDA. Use biometrics. A lot of people have PDAs without any passwords, and they’re not encrypted.”
These are common sense practices, but unfortunately they aren’t always enforced, or considered. Additionally, workers aren’t always aware of the laws they’re accountable to. California’s SB 1386, for example, requires organizations that collect personal information to protect the data against possible identity theft and to alert individuals whose information may have been compromised. If a sales rep, for example, keeps client information on an unsecured laptop that’s stolen or lost, it could significantly impact the company. “People are holding healthcare seminars and sending out HIPAA notices. Well, I don’t see that happening in terms of security, and yet you have equal liability,” says Loiselle. “If the employee knew he or she could cost the company millions of dollars if they made a mistake, don’t you think they’d want to know?”