How much confidential business data has been compromised over the years as a result of the theft of laptop computers? It’s a good question if you ask me because we’re all under pressure to ensure that mobile computing devices employ encryption to ensure that appropriate risks are mitigated in the event of them being lost or stolen.
Such pressure mounts when we also see organisations being fined when laptops go missing. For instance The Nationwide Building Society got hit last year for nearly £1m when a device that was taken from an employees home “contained confidential customer information and may have put millions at risk of identity theft.” Full story here. Chances are that this was a nothing more than a random burglary committed by thieves who probably don’t even have opposing thumbs capable of opening the lid. So, the chances of them being able to get any data out of it are slim. Most likely is that the drive was formatted by the new owner after it was sold for a quid and that it’s now being used by a local education authority somewhere, in west Africa. As also stated on this blog, the “majority of laptop thefts are not targeted, they’re just carried out by someone who sees the laptop as a portable asset that can be easily resold.”
But, let’s suppose that the theft could have been targeted, and somebody could specifically have been after the data. A real enough scenario for some organisations. Encryption certainly mitigates the risk up to a point. However, if such effort is going into capturing a device then you can bet that some forethought would also be going into obtaining the relevant keys. For a good example, remember the case where car thieves cut off the index finger of the owner of a Mercedes in order to get around the biometric security. Where there are motivated, capable, and dangerous adversaries, operating for profit, then is your personal safety worth holding out on the password to your laptop?
In my mind, a much better solution is to keep confidential data off mobile devices in the first place. But let’s come back to the original point and question: How much confidential business data has been compromised over the years as a result of the theft of laptop computers? I don’t know and it doesn’t matter because if your laptops get stolen, and if they contain confidential or personal data, and if you have not used encryption, then you’re stuffed because if the Press don’t get you then the regulators will, and when encryption is so cheap and easy to implement these days then you’ve just been neglegent.
So, in fact the biggest risks to your business may well be from the negative perception and the resulting fines and damage to your reputation than from the probability of the data being compromised and used.
That is good enough reason even if you, like me, don’t rate highly the risk of data actually being compromised in this way. So now all you have to do is choose your encryption product. And that’s another story….