Humans Continue To Be "Weak Link" In Data Security
ChiefMonkeyGrinder writes "Nearly 90 percent of IT workers in the UK have said a laptop in their organization has been reported lost or stolen, new research has found. Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom,' a report produced by the Ponemon Institute for Absolute Software."
Strong password requirements are a big part of the problem. We can teach people how to make more complicated passwords. But the draconian policies set by some sites makes it almost impossible to maintain any degree of security. Make the password requirement difficult enough, and people HAVE to write it down and keep it in an insecure location just to make it usable.
I really fail to see why so many of these companies fail to use common sense. The first thing we do as an IT staff in my organization with laptops is encrypt them. Use something like Truecrypt, enable full drive encryption and set a good password. Laptop gets stolen? You're out the cost of the physical hardware that was taken from you... but the data that was on the machine? You can rest easy that you took every precaution you could to keep it safe. Of course, I work in the health care field so, any laptops, tablets, netbooks etc that have any ePHI (Electronic Protected Health Information), have to be secured. We just take our security practices a step further and do it to all of them. Which is worse? Having your users gripe a bit about an extra password? Or having data stolen? It's saved us once already as a laptop was stolen last year on a business trip.
I'm not saying there aren't plenty of places that encryption is useful security, but I see it far oversold as a panacea. That something is encrypted doesn't mean it is secure. A great example of that would be copy protected games or movies. They use encryption to secure their data. Often it is quite good encryption. AACS uses 128-bit AES crypto, doesn't get much stronger or more tested than that. Yet, it is all for naught. Games are cracked, Blu-Rays are copied and so on. Why? Well because the decryption key is on the disc somewhere. Obfuscate all you like, if they key is there you are screwed.
Same deal with encryption is terms of security for your data. Encryption is useful for data in transit over insecure channels, the Internet being the main one. So long as only your computer and the remote computer have the key, there'll be no snooping on what is going on. Encryption is also useful against physical theft in the case of a laptop or something. If they grab the computer but can't get the password (and the computer isn't logged in or the like) then they can't get the data.
However encryption isn't useful a whole lot outside of that. For example encrypting data on your desktop won't do much against a remote attack. You have to get in to said data and so when you decrypt it, the key and/or data can be captured. You'd be just as well off with unencrypted data overall. Likewise encryption does little to nothing against a social engineering type of attack.
So I'm not saying "Don't use encryption," just that you should think about when to use it, if it is doing any good. Don't sell encryption as something you need to always do, because it isn't useful and can lead to a false sense of security.