If you are in any kind of company with an IT department chances are you have been given a laptop as your computer tool of choice. Except, even in large Fortune 500 companies, you were not given a specific list of instructions and policies on how you should use your laptop. Just because you have this mobile computing platform, don’t treat it like your purse or a newspaper. Most do and every single day you see news articles and posts about another laptop being stolen from a big company and how tens of thousands of people’s information was on that laptop. They don’t think past the monitor hinges to the data stored on the laptop and protecting that more than the physical device.
With the tablet explosion taking over the world very quickly, the laptop is leaning toward being an outdated tool. The computing power will always be in some kind of laptop, but with more power comes more responsibility and more ways to have your company’s personal and customer data leaking out. Tablets are setting the stage to reverse that approach by slimmer and faste and really take the IT world back to a terminal based computing model. In this era they call that “The Cloud”, but really it’s a centralized computing center that you connect into remotely and never really need to take the data out of that Cloud. If data is less mobile by definition it is more secure. Think about it, what’s more secure – 1970s, financial records of all clients printed and stored in a locked file cabinet in a locked secure basement only accessible by a few people with the keys. 2010 – same data stored in several databases, exposed to the internet and getting touched by millions of customers that can be copied over and over in minutes?
When company’s are relying on the average employee’s actions to protect data of that level of sensitivity it’s bound to fail.
People are not trustworthy, not because they are not capable of making intelligent decisions (some can’t), but because of their greater ability to make mistakes. You may think your encrypted, password enabled laptop on the front seat of your car as you run in for groceries is safe because you locked your car. When you return your window is smashed out and the laptop is gone, along with SSNs, Credit card numbers and accounts you copied on your hard drive so you could work harmlessly on a report at home. The account rep is very good and loyal, his one mistake just put the whole company at risk and cost them thousands if not millions in potential damages.
In the near future companies will be handing out dummy laptops, fast, memory loaded machines with no ability to use a local storage for anything. The work will all be done in a connection to the central private cloud, check out your documents and spreadsheets, work on them, check them back in and no data leaves the cloud. If you lose a laptop it’s not that big of a deal because the encryption and cloud device authentication mechanisms won’t allow you to turn the machine on unless it can talk to home base.
Data Loss Prevention, DLP, tools exist today for the sole purpose of stopping whoopsie emails and file copies of critical data. It’s for the dumb mistakes. To really ensure the security of the data, make it as immobile as you can. Today the data in companies is far too flexible, too fluid, accessible by too many people with too little ineffective security checks. That high rate of movements just increases your risk of data getting out, stored locally to an unstable laptop or stolen/lost.
It will take a few more iterations of the tablets evolution and cloud growth for this to become a reality, but it will. Companies will have to make this move as more and more data gets shared and stored. It should be going on now, but employees still copy critical data to laptops and lose the devices and employers are not being hard enough sending messages that this cannot be tolerated.
Employees, people, humans are far too risky to trust the integrity and security of the data to. Looking back at all my projects I have done and currently a part of, when we go through all the risks, we never bring in the human element as the biggest risk.
You won’t change people, so change how people can work to protect the people.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.