The study shows that business managers are continuing to ignore laptop security procedures above and beyond encryption. Indeed, even with encryption, most corporations are unable to determine if encrypted data remains secure.

Key findings from the whitepaper:

• 95% of IT practitioners report that someone in their organization has had a laptop lost or stolen
• Of those laptops lost or stolen, 72% resulted in a data breach.
• After a data breach, 0nly 44% of organizations were able to prove the contents were encrypted.
• 33% of IT practitioners believe encryption makes it unnecessary to use other security measures, whereas 58% of business managers believe this to be the case.
• 62% of business managers surveyed strongly agree and agree that encryption stops cyber criminals from stealing data on laptops versus 46% of IT practitioners who strongly agree or agree.
• 36% of business managers surveyed record their encryption password on a private document such as a post-it note to jog their memory or share the key with other individuals. Virtually none of the IT practitioners record their password on a private document or share it with another person.
• 60% of business managers have disengaged their laptop’s encryption solution and 48% admit this is in violation of their company’s security policy.
• 55% of business managers sometimes or often leave their laptop with a stranger when traveling.

You’ll see there are many troubling pieces of information there. Individuals have a false sense of security about their laptop security. Indeed, many individuals appear to ignore laptop security altogether by disengaging encryption or not using safe password practices. Are you using a layered approach to your laptop security? If not, find out how we can help!

Download the whitepapers here.

The 2009 study examined the records of 45 U.S. companies that experienced a data breach that year, with records lost in the range from 5000 to over 101,000. The study found that, for the first time, companies are spending more on technologies to prevent and remediate breaches. The organizational cost of a data breach, on average, was $6.75 million. The most expensive breach resolution recorded in the study was $31 million.

Given the first-ever increase in technology spending in this category, the areas where spending was concentrated included technologies in encryption, identity and access management, data loss prevention and endpoint security.

In a similar study, the Ponemon Institute found that the cost of a lost laptop in 2008 was nearly $50,000. It is encouraging to see that companies are paying attention to these costs – which include lost customer trust and loyalty - and are investing in technologies, such as those offered by Absolute Software, to mitigate these costs.

What are you doing to help stop data breaches in your organization?

Image: clipart

This is the 4th annual study on enterprise encryption, basing the data this year on 997 IT and security practitioners in the US (a UK study is also available). The study looks at trends in encryption use, planning strategies, budgeting, and deployment methodologies in enterprise IT.

Highlights from the study:

• 78% of organizations have an encryption strategy in place (74% in 2008)
• 85% experienced at least one data breach in the last 12 months (84% in 2008)
• 22% experienced >5 data breaches in the last 12 months (13% in 2008)
• 58% say data protection is a very important part of overall risk management
• 59% say encryption of data on mobile devices is very important or important
• 26% indicate they encrypt their smartphone or PDA ‘most of the time’
• 51% have no encryption in place for the smartphone or PDA

I was surprised that the repeat data breach figures had gone up so dramatically, showing perhaps that data breaches are becoming chronic issues in some companies. This could indicate a lack of proactive security planning and risk assessment.

The study does indicate that companies are seeking out encryption solutions to preserve brand and reputation, in addition to mitigating breaches and meeting compliance regulations. This shows, perhaps, that companies are ready to take a more pro-active approach to security planning. Remember, too, that encryption is only a part of the solution to pro-active security planning. Absolute Software can help with other pieces of that puzzle, providing IT Asset Management & Theft Recovery for laptops and mobile devices.

Download the report, for the UK or the US, here.

Via SC Magazine

The study was prompted by an increasingly mobile workforce carrying around more sensitive data on their laptops than ever before. The study focuses on samples of organizations in the US that have experienced laptop loss or theft within the last 12-month period. The 138 cases involved loss by employees, temporary employees and contractors.

Key Highlights from the Study:

• The average value of a lost laptop is $49,246 (replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses)
  • The occurrence of a data breach represents 80% of the cost associated with a lost laptop
  • Of the remaining 20% of cost, 59% of that can be attributed to intellectual property loss
• The faster a company realizes of a loss, the lower the average cost associated.
  • If a loss is discovered in the same day, the average cost is $8,950
  • If a loss takes more than 1 week to discover, the average cost rises to $115,849
• Director laptop losses are most costly
  • The average cost of a lost laptop for a senior executive is $28,449, with the highest costs for manager ($60,781) and director ($61,040)
• Encryption saves money, with an average savings of $20,000 for lost laptops with encryption vs those without – but that’s less than half the savings than if you discovered that the laptop went missing the first day it happened
• The cost of a lost laptop varies by industry. The average full cost of a lost laptop is highest for services industry ($112,853) and lowest in manufacturing ($2,184)
•  The average data breach cost of a lost laptop varies by industry. The highest average data breach cost is in the services industry ($108,699) followed by financial services, healthcare and pharmaceutical. The other industires were far less.

What the highlights demonstrate is the high cost associated with lost laptops, but also the possibilities for minimizing the damage if companies can identify when laptops are missing quickly. With software such as Computrace by Absolute Software, you can inventory all your mobile computers and devices, know when one is missing and when its stolen get the Absolute Recovery Team to help find it. You can also do a remote data wipe to ensure your lost data does not fall into the wrong hands. And Computrace with Intel Anti-Theft Technology can lock the computer so it can’t even be booted-up. It can easily help reduce the costs of a lost laptop.

Download the White Paper here [PDF]

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

The Ponemon Study tracks a wide range of cost factors that relate to data breaches: from detection & notification to legal ramifications and customer loss (tangible or not). The first study from four years ago helped to identify “direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy.”

The 2008 Study looks at the actual data breach experiences of 43 US companies across 17 industry sectors. This is a larger base sample to draw from, vs the 35 breaches studied in 2007. The breaches in the survey ranged from 4,200 records to more than 113,000 records.

The average cost per breached record has gone up from $182 in 2006 to $197 in 2007 to $202 in 2008. The average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007). The range for costs was anywhere from $613,000 to $32 million.

“In these very tough economic times, businesses cannot afford to lose customers as a result of breach. Although new data breaches are reported each week, and seem to be getting larger, consumers have not become immune. While organizations have learned how to respond to a breach more cost-effectively, customers are increasingly prone to terminate their business relationship due to lost data, producing consistently higher abnormal churn rates.”

The costs of lost business has the highest impact on the per-record breach cost, accounting for 69% of data breach costs. According to the study, breach costs for first-timers (companies with no previous breach history) are higher and that 85% of cases in the study involved companies with more than one major data breach. Insider negligence was the #1 cause of data breaches with over 88% resulting from negligence.

Third-party data breaches, such as those experienced with sub-contractors or business partners lose data, are rising in frequency and in cost. 44% of respondents report a third-party data breach (up from 40% in 2007 and 29% in 2006) with higher per-victim costs than internal data breaches ($231 vs $179). The staggering growth of third-party data breaches would indicate a serious, and costly, oversight in data security planning and accountability.

Other highlights from the study:

• 53% of companies are creating more training and awareness programs to prevent future breaches
• Healthcare and financial services suffer the highest customer loss (average churn rate of 6.5% and 5.5%) after a data breach
• Healthcare data breaches cost $282 per record vs retail data breaches at $131
• 44% of companies have expanded their use of encryption technologies

Download the study here.

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

The study was conducted in order to understand employees’ perceptions about ensuring information entrusted to their care remains effectively managed. This includes using encryption, strong passwords, and keeping their laptop physically safe when traveling. The study unearthed a number of troubling issues including a perception by employees that encryption solutions make other security measures unnecessary. IT security professionals were the most careful in abiding by precautionary steps in safeguarding data on their laptops, but non-IT employees were not so as careful (with 56% turning off encryption).

92% of IT security professionals indicate that a laptop has been lost or stolen in their organization. Of those stolen, 71% resulted in a data breach. In the event of a theft, companies relying solely on encryption cannot be sure whether all stored data on a laptop has been encrypted, if it has been compromised, or even which files have been accessed by thieves. To help solve security risks that encryption alone cannot adequately address, companies can employ a security solution that can locate a stolen or lost laptop, detect which data has been accessed, and remotely delete sensitive data. Such a solution, like Absolute’s Computrace, is not dependent on the diligent behavior of corporate employees.

“The data suggests that, because of user behavior, encryption alone is not enough to protect mobile devices and the sensitive data stored on them. These statistics are especially disconcerting when combined with our recent studies demonstrating that lost or stolen laptops are the number one cause of data loss, with 3 out of 4 companies experiencing a data breach when a laptop has been lost or stolen.” - Dr. Larry Ponemon, chairman and founder of The Ponemon Institute

“The Human Factor in Laptop Encryption: U.S. Study” key findings:

• 92% of IT security practitioners report that someone in their organization has had a laptop lost or stolen and 71% report that it resulted in a data breach;
• 56% of business managers have disengaged their laptop’s encryption;
• Only 45% of IT security practitioners report that their organization was able to prove the contents of missing laptops were encrypted;
• Only 52% of business managers – employees most likely to have access to the most sensitive data (personally identifiable information and/or intellectual property) – have employer-provided encryption;
• 57% of business managers either keep a written record of their encryption password, or share it with others in case they forget it;
• 61% of business managers share their passwords, compared to only 4% of IT managers; and,
• Business managers are much more likely than IT security practitioners to believe encryption makes it unnecessary to use other security measures for laptop protection.

The survey breaks down the types of encryption solutions used to protect data assets, from whole disk encryption to thumb drive encryption. The same questions were asked to IT professionals vs non-IT professionals (business managers), with differing perceptions of security protocols. Here’s a preview of one of the data segments from the survey:

To receive a full copy of the study on the Human Factor in Laptop Encryption, for the US, UK and Canadian markets, fill out this form.

According to the press release, the Index will include objective tools to improve a company’s ability to manage a data breach. The PBI benchmark tool will help: improve existing safeguards to prevent a data breach, determine areas vulnerable to a data breach, and benchmark responsiveness to a data breach against other companies.

The initial PBI was created from the survey results completed by 768 individuals in data protection, IT security and compliance who were experts in their organization for data breaches. All participants had experienced a data breach in the past 24 months, as part of the needs of the benchmarking process.

Although the end result, the PBI benchmarking tool, will be quite useful to see, already the survey results offer some insight. The survey looked at various areas of data incident response: detection and forensics, escalation to management, notification quality and timeliness to breach victims, support to breach victims, post-mortem response, reputation management and response to regulatory or legal action.

“Our study provides further evidence of the importance of having a good quality privacy incidence response plan in place,” said Dr. Ponemon. “More than 83% of respondents believe that the individuals affected by the data breach lost trust and confidence in their organization’s ability to protect their personal information. As we have found in our consumer studies on trust, these perceptions often result in the loss of customer loyalty. In fact, 80% of respondents in the PBI study reported that a certain percentage of data breach victims terminated their relationship with the organization.”

Some interesting findings from the survey:

• 9% of respondents rated their organization’s responsiveness to the most recent data breach as an “A” or excellent. 5% gave their organization an “F” for failure.
• 80% of respondents believe that their organizations experienced some loss of customers or other data breach victims after the incident.
• 50% of participants noted the root cause of the data breach incident to be employee negligence (29% was third party negligence)
• More than 36% of respondents have 1 – 4 data breach incidents involving 100 or more records each year

You can download the 2008 Privacy Breach Index Survey here [PDF]

Via insurance journal