Humans continue to be 'weak link' in data security

61 percent of laptop losses result in data breach

Nearly 90 percent of IT workers in the UK have said a laptop in their organisation has been reported lost or stolen, new research has found.

Sixty-one percent said that this then resulted in a data breach, according to the '2010 Human Factor in Laptop Encryption Study: United Kingdom', a report produced by the Ponemon Institute for Absolute Software.

A survey from Ponemon in January revealed that the cost of a data breach had risen last year to £126 per customer record. The average total cost of a data breach rose from £4.1 million in 2008 to £4.17 million in 2009.

Ponemon surveyed 368 IT workers and 355 non-IT business managers for the latest report.

The institute said that its findings, particularly with respect to how business managers look after their laptops and their contents, were very similar to its study last year.

However, while in that study it suggested that the negligence was possibly due to users relying too much on encryption solutions, report author Dr Larry Ponemon said: "We also conclude that current training and awareness programs may not be effective in preventing employees' risky behaviour."

The institute found that although fewer business managers reported a laptop loss or theft (65 percent) and data breaches as a consequence (25 percent), just 18 percent of business managers said that their organisation was able to prove that the contents of the laptop were encrypted. This is compared to 45 percent of IT workers.

Despite the risk of laptop loss and data breaches, not all organisations provide encryption for their laptops.

Only 55 percent of business managers said that their organisation provided encryption, 10 percent fewer than IT workers (65 percent).

Encryption solutions used to protect laptop content ranged from network or gateway encryption (the most popular) to encrypted backup devices, including thumb drives. Whole disk encryption for laptops was the second most popular method, followed by file-based encryption.

Despite these encryption methods being in use, just 35 percent of IT workers do not worry about losing their laptop because of its contents are encrypted.

Business managers appear more confident, however, with 63 percent not worrying about losing laptops. This is evident by the fact that when travelling, only 20 percent of business managers never left their computers in insecure locations, compared to 79 percent of IT workers.

Ponemon also found that business managers put data at risk by not using encryption properly.

Forty-eight percent of business managers admitted to forgetting their laptop's encryption password, compared to just seven percent of IT workers.

Only half of the business managers were able to recover their password, and 43 percent said they could no longer access the information, and permanently lost it, as a result of forgetting their password,

Business managers were also more likely to go around security procedures by recording their password on a private document, such as a post-it note (35 percent), or sharing it with other individuals (31 percent).

None of the IT workers recorded their password on a private document, but three percent did admit to sharing their key with other people.

Ponemon reiterated the conclusion it made in its 2008 study: "The human factor is the weakest link in any organisations' efforts to defend data at risk," he said.

John Livingston, chairman and CEO of Absolute Software, said: "The Human Factor in Encryption study shows that you need to seriously contemplate the degree to which your own employees may be contributing to the potential for business-jeopardising data breach incidents.

"You must take the human factor out of your computer security plan."

Earlier this month, a study by Redshift Research found that up to 90 percent of UK companies may not comply with PCI security standards.

This story, "Humans continue to be 'weak link' in data security" was originally published by Computerworld UK .

Join the discussion
Be the first to comment on this article. Our Commenting Policies