“Encryption of all sensitive information on notebooks should be considered mandatory”
Gartner, Jan 2007, Pub: G00144857
Computer or laptop encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition are always permanently encrypted (even when power supply is suddenly interrupted).
Based on a report from Gartner, a technology research firm, a laptop is stolen every 53 seconds.
This is a sad statistic generating major financial and integrity issues to businesses and individuals.
In addition to the cost of the device and the time and effort to get a replacement ready, here is what the Information Commissioner’s Office website says:
The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Example: Personal data breaches can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission; and
loss of availability of personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
What happens if we fail to notify the ICO of all notifiable breaches?
Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7 million or 2 per cent of your global turnover. The fine can be combined with the ICO’s other corrective powers under Article 58. Please visit the ICO website for further information:
It seems that data security breaches take place because companies do not know where their sensitive or confidential business information is stored within the network.
What is more, the vulnerability is not limited to the computer network, but then again includes employees and contractors laptop computers and other portable storage devices.
Most organisations have security practices in place, such as the use of strong passwords, but they become irrelevant especially if members of the team are leaving physical clues that makes their password vulnerable to these threats.
It seems like a regular practice with many employees that keep their passwords on documents such as post-it notes or even notebooks, share it with other individuals and often they keep their passwords on the computers or inside their laptop's carrier cases. This is usually done to serve as a reminder in case the password is forgotten. A best solution would be the use of a password manager.
In 2015, Gartner predicted that by 2018 50% of an enterprise's data will reside external to the data center. In 2018 they predicted that by 2022, more than half of enterprises-generated data will be created and processed outside of data centers, and outside of cloud.
What can we do to protect our organisations, our jobs and the data we are entrusted to protect?
Keep Yourself Accountable
- Physically securing a device is just the first line of defence against data theft. Having access to the local network or office, using the same wireless network for employees and guests, having computers with enabled USB ports and having easy to access active network ports are all security risks and should be treated as major security risks.
Use physical security with personal mobile devices — i.e., locks and cables. Even if they could be perceived as deterrent, it is a good investment on security.
Use biometric fingerprint authentication to manage access control (either physical or digital) to sensitive areas or information systems.
Use physical USB Port Locks, because it reduces the risk of data leakage, data theft and unauthorised uploads
- Use your own user account on your laptop even if it is a personal laptop and when you are the only one who uses it. Password protect it.
- Use a password or a code that no one else is going to be able to guess, and avoid reusing passwords that you already use on your other services. Test how secure your password is: https://howsecureismypassword.net/
- A very good practice is to ensure that laptops or desktop PCs are not left unattended and unlocked, even in a semi-private space like the company office. It takes just a few seconds of unrestricted access to a running PC to install some form of malware or spyware or to copy confidential information. Enable the screen lock after a very short period of inactivity .
- Some home and small-office WiFi routers and APs support WiFi Protected Setup (WPS), a service that was designed to securely join devices and routers with the push of a button. You may want to disable the feature if possible because they are a security risk to brute-force attacks due to the standard's reliance on an eight-digit number.
- Password protect your confidential documents, when you use Microsoft Office to password protect your documents you are also encrypting them.
- Use a password manager for your online passwords.
- Backup your data, even if you lose an expensive device; your data is more valuable.
- Computer or laptop encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted (even when power supply is suddenly interrupted).
Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted too.
System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts).
Pre-boot authentication resides in the first track of the boot drive and on the Rescue Disk.
Please note that encrypting a device is a lengthy process that could take a few hours per device.
Our recommendations cannot guarantee that you will never have a security issue, however they are a good place to start. You should contact us to help you implementing these security options for you and your team.
A good effective data protection and security plan starts with a holistic assessment of your organisation, our Team can help implementing a layered approach to improve your endpoint security.
To discuss your business requirements, please contact us on +44 (0) 20 7101 1160. Alternatively, please request a callback and we will contact you promptly.
Please review the areas in which we work by clicking this link: Areas Covered.