Defending Data With Laptop Encryption

Data breaches are becoming bigger and more common every year, yet many organizations remain reactive and move to protect their data only after a breach has occurred. That’s not the case with nonprofit Educational Testing Service, based in Princeton, N.J., which prides itself on its proactive approach to IT security.

Marcus Prendergast, a senior security engineer at ETS, describes how the company developed a strategic, centrally managed enterprise data protection strategy—including data-loss prevention solutions such as encryption—that enabled it to prevent data breaches, save money and teach employees how to better protect corporate data.

During its 62 years, Educational Testing Service (ETS) has always been committed to protecting its customers’ personal information. That’s why, after two major companies recently made headlines with serious data breaches, we moved aggressively to implement enterprise mobile device encryption solutions to help ensure that our reputation for proactive, effective IT security remained intact.

ETS is best known for the tests we administer, but we are an intellectual property organization at heart. Our value is in our assessments and the customer data we keep.

ETS develops, administers and scores more than 50 million tests annually at more than 9,000 locations in more than 180 countries. These tests include the GRE (Graduate Record Exam) and TOEFL (Test of English as a Foreign Language), as well as the College Board’s SAT-I and SAT-II exams. Accordingly, we have a large data footprint that keeps growing—currently by about 50 million new records a year.

We take our stewardship of customer data seriously because our business is based on trust—trust that our tests are fair and valid and that people can safely share sensitive personal and financial information with us. Data security is an essential part of maintaining that trust: We don’t want customers to wonder whether our company can protect their data and thus question other aspects of their relationship with us.

More importantly, data falling into the wrong hands through a data breach can ruin customers’ lives and threaten a company’s reputation—and even its existence. We want to avoid that at all costs.

Cases in point: In July 2008, pharmaceutical titan Bristol- Myers Squibb confirmed the theft of an unencrypted backup tape of personnel data. So far, no one appears to have accessed the data, which may number up to 40,000 records.

Last January, Heartland Payment Systems, a credit/debit card payment processor, revealed that it had received reports of fraudulent activity from transactions corrupted by malicious software. The hack may have compromised tens of millions of transactions, and the firm is spending a fortune to fix this mess.

That’s because the average cost of a data breach continues to increase yearly, with an average cost per customer record of $202 and a total average per-incident cost of $6.6 million, according to the Ponemon Institute’s “2008 U.S. Cost of a Data Breach” study.

These reports prompted a member of the ETS board of directors to ask about our company’s security practices. ETS had solid network security, but we needed greater data security, particularly for the 1,500 laptops our employees use.

The IT security team used that opportunity to take additional steps to prevent data breaches. We sought to replace pockets of unmanaged data security solutions with a strategic, proactive, centrally managed enterprise data protection strategy, which included data-loss prevention solutions such as encryption.