What is sensitive data? If you don't have a good answer, then you have gaps in your data encryption plans.

I specialize in security for road warriors and teleworkers, so every day, I talk with clients about their needs and plans for implementing encryption tools to protect data stored on workstations. A common theme for all these conversations is a desire to save money by only implementing protection for a small group of PCs that are carrying the company's sensitive information. Three problems arise from this theme.

The first is "less is more" - in this case, less can be more money! If you want to manage your encryption, you need a management console. It's not free, nor is it discounted for small purchases. There is also the matter that prices per seat decline for larger purchases. I have seen situations where a client paid less overall and per user seat by negotiating well for a larger purchase, which brings more workstations under protection. Larger purchases also mean that the cost can be distributed to more managers and business lines, taking some of the burden off the early adopters.

The second problem is the matter of defining sensitive data. Most clients limit their thinking to information that is linked to specific laws, because of the connotations of a breach. However, data that is not covered by a strict interpretation of a law or regulation can be just as important and just as damaging if it is exposed. For example, I had an oil company that planned only to encrypt a handful of notebooks used in HR. The company did not plan to secure HR desktops. However, we all know that the majority of cybercrimes are inside jobs, so why wouldn't the same information need to be protected on the inside? Beyond the HR data, I presented several scenarios where general information in the company deserves protection. For example, unencrypted mobile, remote and wireless-enabled systems contain information that could be used to infiltrate, monitor, disrupt and misdirect supply chains for parts and services for oil rigs, processing equipment, transportation and other critical systems that would not automatically come under the spotlight of a specific law. Hackers do not just look for financial and medical data; if you lock up one treasure, then they look for the next.

The third problem is that users and workstations change roles over time. We must also account for employees who change jobs or projects within a company. A person who at one point is working with "nonsensitive information" can be promoted or transferred, but will this be recognized by the IT department? And if there is a gap of time before IT catches up to protect that person, a gap has been created that could lead to a breach. Then there are the people who have copied data they should not be carrying, but no system in the company is designed to stop them, and their systems are unprotected.

In my role I have always been sensitive to data protection challenges, but now it's hitting close to home. In August, a laptop computer belonging to my own state's government was stolen from a car, and it contained personally identifiable data on more than 100,000 taxpayers. Then, another laptop was stolen from a car, containing records for family welfare cases, all sitting in a private consultant's laptop.

It's time to recognize data protection as a cost of doing business. We need to stop trying to save a bit of money and face the risk of becoming another headline!

Read more here and here.