Encryption alone is not enough

A recent article by Kerry Davis mentions an identity case involving the theft of an Ernst & Young auditor’s laptop containing the credit card details and addresses of more than a quarter of a million customers of hotels.com in the US. Sure, the auditor should never have left the laptop in his car, “but even if he had taken it with him there was always a risk of theft or loss”.

This incident demonstrates that encrypting data is important, but encryption alone is not enough.”Data security requires a holistic approach. It’s as much about mindset as about the need for passwords, secure ID tokens and encryption”.

Security should be considered from all angles: physical, personnel, procedural, technical, policy and regulatory. However, most companies rely on the physical and technical alone.

“According to the DTI, a quarter of companies don’t carry out any background checks when recruiting [new employees] and one in eight does nothing to educate staff about their security responsibilities”.

It’s not good enough to give a laptop to someone who is always on the road and tell them never to leave it in their hotel room. This sort of ‘no choice’ edict simply brings a security policy into disrepute. Everyone will have to ignore it in order to do their jobs.

All aspects of security should be considered together, so controls support and mitigate each other and a failure of one does not invalidate the others. For instance, if an auditor regularly has to leave a laptop in a car for good reason, the company should provide a secure storage box. What’s more, if a laptop containing sensitive data is stolen, the consequences may be by far less disastrous if it is protected by strong authentication and encryption systems.


This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Comments are closed.