Security: Don't Spring a Data Leak - 'ZIFFPAGE TITLEMistakes Will Be Made '

Mistakes Will Be Made

Another lesson from the rash of data losses in the headlines is that "user education" is only effective to a point. It's certainly true that employees should be regularly updated on good data-handling hygiene. But no amount of education will eliminate careless mistakes or stop a disgruntled employee from violating a policy. Security technologies like encryption and digital rights management software, which controls access to specific pieces of content, can act like seat-belt laws—to help computer users from hurting themselves.

"We can do training, we can do policies, but unless we monitor every laptop every single day, there's no way we can control what people put on their laptops," says Jacob Mays, assistant vice president of information technologies at Stillwater National Bank and Trust in Stillwater, Okla.

To make sure no data can be read on a lost or stolen computer, the bank fully encrypts all of its 80 laptops with PGP software, a measure it initiated last year. Employees must enter a password before Windows even boots up.

Like seat belts, security mechanisms have to be easy to use. "You can talk until you're blue in the face about the need for it, but unless it's practical, people aren't going to use it," says Jason Elizaitis, director of information technology at Fairfield Greenwich Group, a New York-based asset management firm.

Fairfield Greenwich Group, which manages $10 billion in assets for high-net-worth individuals and institutional investors, uses Liquid Machines' Document Control digital rights management software at six offices worldwide. The software lets employees encrypt and assign privileges to documents (such as flagging them for "internal use only" or "do not print"), using a drop-down menu that is installed in the menu bar of Microsoft Office applications.

Why hasn't every company on the planet put in similar safeguards?

Cost may be one issue. A sophisticated digital rights management system, for example, can run to $500 per employee, while content-filtering packages start at around $25,000. Encryption products have entry prices of $125 to $300 per employee; vendors in this market include PGP, Pointsec Mobile Technologies, Utimaco Safeware and WinMagic.

Microsoft promises to bring encryption to the masses in the forthcoming Windows Vista operating system, which includes a feature called BitLocker that can automatically encrypt a PC's entire disk.

Meanwhile, some I.T. managers still have a perception that deploying and managing encryption products is extremely complicated, says Andrew Krcik, vice president of marketing at PGP. "There's still a hangover from people having looked at encryption seriously five years ago and said, 'It's way too complex,'" he says.

Stillwater National Bank's Mays found setting up and managing laptop encryption straightforward, requiring employees to leave their laptops overnight to perform the initial full-disk encryption. He was at first concerned that the PGP encryption software would slow down the machines, but found that on any laptop less than three years old, "there's not a noticeable performance hit."

To Zimmerman of Regions Financial, the justification for encryption and content-monitoring measures boils down to this: What's the company's reputation worth? As Zimmerman puts it: "Whether we lost one record or 1 million records, our credibility with customers would be shot."

NEXT: 5 Steps to Prevent Data Loss