The ability to encrypt desktop and laptop hard drives has been with users for years, but has not been widely adopted in South African corporations. Whether it’s due to the complexity of the encryption process or indifferent users, there are many reasons companies have used to avoid protecting their information.
More recently, certain business sectors have found themselves under the whip from new regulations and governance standards that define specific security options that need to be implemented if they are to comply.
The Payment Card Industry Data Security Standard (PCI), for example, defines what banks need to do in order to store information from their credit card holders. King III and the new Protection of Personal Information (PPI) Bill also makes certain demands in terms of data security that applies to other sectors of the business world.
“What this means is that companies are responsible for what happens to their customers’ data once in their safekeeping,” says Phillip Gerber, Magix Security’s MD. “If an executive loses a laptop or a PC is stolen, as often happens, the company is now responsible if there is customer data on these devices.
“This isn’t a simple problem however, as how does the company know what data was on the stolen devices? It may be a subset of the full customer database to be used for sales leads, or a few customers that have complained and need personal attention that have been downloaded.”
Then there is the e-mail database that is located on everyone’s hard drive. The information in this database is a treasure trove for information thieves.
According to the PPI, when there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, the responsible party must notify “as soon as reasonably possible” the regulator and the affected data subjects.
The regulator may further direct a responsible party to publicise the compromise if it believes such publicity will protect the compromised data subject.
“How can a company even attempt to comply with this law if it doesn’t even know what data, and in particular, which customers’ data is on the stolen device?” asks Gerber.
“On the other hand, if the hard drives have been encrypted, the organisation is not liable as the data is not accessible to the thieves. They may have some second-hand hardware, but the information on the device is out of reach.”
He adds that in the past, the difficulty of managing the encryption of hard drives caused many companies to skip these solutions as computers had to be taken out of the work environment while the hard drives were encrypted. Users also rejected encryption as it added an extra step to the sign-in process to enter the decryption password.
“These problems belong to the past,” notes Gerber. “Today’s full-drive encryption solutions allow for devices to be encrypted while the user works, and integrate with the company’s directory service to allow seamless user authentication.
“With simplified roll-out and management, as well as no impact on users’ ability to work as normal no matter where they are, there is no longer have any excuse to put confidential data at risk.”