SANS recently reported that a Ponemon Institute survey, commissioned by Dell, found that more than 630,000 laptops are lost at airports each year, usually at security checkpoints and departure gates. A staggering 67% of them are never recovered. From SANS NewsBites Vol. 10, Num. 52:
The survey…included feedback from 864 business travelers: 53% said their laptops held confidential data; 42% said their data was not backed up; 16% said they would do nothing if they lost a laptop while traveling on business; 77% said the chance of recovering a lost laptop was less than ten percent.
Surprisingly, the SANS article made no mention that the Ponemon survey found that 65% of the travelers who have confidential or sensitive information on their laptops do nothing to attempt to protect it. The article seems to be more focused on physical security and this is indicative of a paradigm that is too heavily weighted in favor of protecting the network rather than the information traveling across it. The paradigm is shifting, but not nearly fast enough, as the survey shows.
Given the nature of operating systems and software, embedded or otherwise, there will never be a completely secure network; there will always be vulnerabilities to deal with and deal with them we must. However, the Internet is designed for sharing, not securing, a fact that’s never been more true than it is today; with Web 2.0′s emphasis on community and collaboration, the need to protect the information is even more critical.
We can’t predict security vulnerabilities in third party software and systems, so all we can do is patch after the fact. If we make data protection the first priority and never allow a scrap of sensitive information to reside anywhere on any storage medium without it first having been encrypted or physically isolated, the severity of any newly-discovered vulnerability is greatly lessened.
What do you think?