PC Data Security Blog

Laid-Off Workers Biggest Data Security Threat

In a recent McAfee study of 800 companies in 8 countries (McAfee-Study) that says businesses risk $1 Trillion in data security losses, 42 percent of companies surveyed said that laid-off employees were the single biggest threat to their data security.  The increase in the availability and power of removable storage, including laptops and USB sticks, has made data loss or theft easier.

Can any company afford to keep this threat window open?  If your company deploys an encryption-only solution, that former employee, who may still be in possession of their computer after their termination, will also have possession of sensitive data for which your company is responsible.  Encryption doesn’t protect you now, since they have the password.

To ensure that your data cannot be accessed, either by a former employee or anyone in possession of the password, you need a solution that will continue to work for you, even after encryption has been neutralized.

You Can’t Move Forward If You Don’t Back Up

So now you’ve finally implemented a comprehensive Information Asset Protection strategy. You have strong password policies and are rigorous about adherence. You’ve even deployed data encryption and possibly the more advanced data destruction capabilities. Your fortress is secure!

However, there are many things that could compromise your access to your information beyond theft or loss. Hardware and software failures are among them. We know about the occasionally dropped laptop or heaven forbid, that spilled beer or soft drink that seeps into the innards of your machine. Drive failures are also a common occurrence. Let’s also not forget that any encryption system, by its very nature is designed to scramble your data.

Which is why it is essential that you have a rock –solid backup and recovery plan to complement your information asset protection strategy. Regardless of the size of your organization – from a sole proprietor to large enterprises – you should always have provisions to be able get back to a set of your data that gets you operational as quickly and smoothly as possible. To that end, there are several things you should consider when developing a backup and recovery strategy. Among them are:

1. How much data can you (or can’t you) afford to lose? Will losing an hour, day or week worth of data result in a financial or operational catastrophe for your work or business?

2. How quickly do you need to be operational again? Will an extended amount of downtime while you are attempting to recover/restore your data severely impact your work or business?

3. What is realistic for you to do given your resources of people, time and/or money? This includes looking at what technologies, people or processes are available for you to utilize.

Finally, it is important to insure that you test your backup and recovery strategy on a regular basis. Do not wait for failure to happen until you test your ability to recover data. Instead, make it a regular habit to bring data back from your backup sets at least once a quarter. So in addition to the ability to encrypt and/or eliminate your sensitive data, putting a good backup and recovery plan in place is essential to truly protecting your information assets and your business.

A time-limit on encryption?

The computational power required to brute-force attack most the most widely used encryption algorithms (RSA, PGP, 3DES) is currently beyond anyone’s reach, provided that a sufficiently large key is used for encryption.  Such power should continue to be out of anyone’s reach for the foreseeable future, assuming that:

1. Moore’s law holds true- that computing power only doubles every 18 to 24 months

2. a breakthrough in quantum computing is not just over the horizon

3. no striking advances to currently used factoring algorithms

These assumptions are generally considered to be reasonable.  The real, immediate risk to most security systems continues to be weak password policies and social engineering.

However, what if your encrypted data falls into an attacker’s hands, and an exploitable flaw is found in the way your data is encrypted and stored?  How likely is this to happen?  If we look at cryptographic systems introduced only ~10 years ago, we see that flaws are often found ~5 years after their widespread implementation, which usually lead to full cracks of the system in the following ~2-10 years.  Granted, current encryption algorithms are more robust and have already withstood far more scrutiny than older ones, but breaches do still happen.  For example, SSL was recently compromised and attackers were able to create a rogue certificate authority.

Encryption alone isn’t sufficient to guarantee long-term security.  Removal/destruction of secure data in addition to encryption is preferable.  If nothing else, destruction of private keys is a great start.