Information security awareness lacking in laptop users, according to study

Information security awareness is still lacking in business laptop users, according to a new study carried out by The Ponemon Institute.

Business users of laptops in the U.K. still tend to underestimate the dangers associated with carrying important data on their machines, according to a new study highlighting a lack of information security awareness. Many users still take chances by leaving their machines running in public areas. Some also share passwords with colleagues, and even turn off encryption.

The study was carried out by the U.S.-based research company The Ponemon Institute for Absolute Software Corp., and is based on responses from 368 IT practitioners and 355 business managers in the U.K.

Results show that while those working in IT tend to be far more careful about handling data, business managers still display a basic lack of information security awareness, especially when it comes to laptops.

One problem highlighted in the report is that a lot of business managers appear to have trouble using encryption:

  • 48% said they had forgotten their computer's encryption password. 50% of those who had forgotten their password said their help desk was able to help them recover their password or key.
  • 43% of those who had forgotten their password said they had permanently lost data.
  • 35% record their password on a sticky note.
  • 31% share their password with others in case they forget it.
  • 53% had turned off their machine's encryption, although this was often in breach of security policy.

The report also explored users' habits and, once again, found that business managers tend to have little idea of the dangers of leaving laptops running in a public area. For instance, only 17% said they would never leave their laptop under the watchful eye of a fellow traveller on a train while they went to the buffet car. And only 26% said they would not use an insecure wireless network when away on business.

And yet, theft of computers is a growing problem with potentially disastrous repercussions. In the study, 86% of IT practitioners said that someone in their organisation had a business laptop stolen. In 61% of those cases, a data breach had occurred, and in only 41% of cases was the organization able to prove the data was encrypted. This last point has obvious implications for regulatory compliance. If organizations can demonstrate that information was encrypted and is safe, they can avoid fines, and also reduce the cost of dealing with a breach.

The figures are reinforced by PriceWaterhouseCooper LLP's latest Information Security Breaches Survey (ISBS), which was published at the end of April 2010. That report said: "The physical theft of computers remains the most common type of incident. Compared with two years ago, rates of theft, particularly by staff, have increased substantially."

The cost of stolen hardware, and the cost of providing and configuring new machines for users, however, pales in comparison to the cost of a breach.

According to PGP Corp.'s latest Global Cost of a Data Breach' report, the average cost of a data breach in the U.K. is now $2.57 million, or $98 per record.

PGP looked at data from the U.S., Australia, France, Germany and the U.K., and found the average cost of a breach across the five countries to be $3.43 million, or $142 per record. The U.K.'s figure is lower than average because there is not yet a mandatory disclosure of a data breach order. By contrast, in the U.S., where breach disclosure is now obligatory in most states, the average cost was $6.75 million, or $204 per record.

The cost of breach handling in the U.K. is likely to rise, according to Jonathan Armstrong, a technology lawyer at the London office of law firm Duane Morris LLP. "With the Information Commissioner's Office toughening its stance on data protection," Armstrong said in a written statement, "imposing hefty fines and scrutinizing more organizations, it will be interesting to see how steeply U.K. cost will rise in the future."

Read more on Data breach incident management and recovery