How To Protect Your Mobile Data
Encrypt data that leaves the office? Yes. The best way to do it? It depends. Here's how to develop a strategy for your organization seeking to secure data on those roaming, mobile devices.
By Galen Gruman
November 01, 2006 — CSO — It was two close calls that changed how Rob Israel thought about encrypting the data on his users' laptops.
A few years ago, a laptop at the John C. Lincoln Health System, a Phoenix-area hospital group where Israel is CIO, was stolen from an employee's office. It could have contained financial or (worse) patient information but, fortunately for Israel, "The laptop was brand-new and had no data on it yet," he says. Still, this pilfery and an earlier PC theft from a common work area (which resulted in a loss of noncritical data) pushed him to revisit his company's security strategy.
The result: Lincoln Health avoids storing data locally on users' computers&mdashPCs and laptops.
In today's workplace, it's impossible to eliminate mobile computing devices&mdashlaptops, thumb drives, mobile phones, PDAs and iPods. If you follow the news, you know that dozens of organizations have had mobile devices lost or stolen, and many of them were not as lucky as Lincoln Health. Since California enacted a data breach notification law in 2002 (followed by 32 other states), there have been a host of embarrassing disclosures about missing computers, most recently at the U.S. Department of Veterans Affairs, the Federal Trade Commission, the Transportation Department, accounting firms Deloitte & Touche and Ernst & Young (three separate occasions this year), Wells Fargo and ING banks, Fidelity Investments, the YMCA and Chevron.
About half of the states' breach-reporting laws give companies a way to avoid disclosing such breaches: the use of encryption on the mobile devices. (See "Legal Incentive," Page 48.) The other states' breach laws encourage the use of encryption, as do other privacy protection laws such as the federal Gramm-Leach-Bliley Act covering financial information, and the Health Insurance Portability and Accountability Act (HIPAA) covering medical information. Avoiding both the breach penalties and the other costs of losing critical data makes an encryption strategy well worth the effort, says Tim McÂKnight, vice president and CISO at aerospace contractor Northrop Grumman. "We paid for our program with the savings from the first three laptops that were lost," he notes.
But encrypting data on mobile systems isn't a simple task. CIOs and CISOs have found that while the technology to encrypt laptop hard drives is pretty straightforward and simple to deploy, there are several aspects of mobile security for which technology is not yet solid, particularly for protecting data on removable media and handheld devices. That's why security leaders who have adopted encryption make sure to use other techniques&mdashboth technological and managerial&mdashto protect their mobile data.