Let me first clarify, encryption is absolutely critical. It would be foolish for any organization not to encrypt laptops and other mobile assets. Unfortunately, a policy of encryption can actually lead to a breach when the need for safeguards is ignored.
Coca-Cola recently revealed it had 55 laptops stolen over a six-year period by an employee responsible for the disposal of the equipment. Coke retires thousands of IT asset each year and reportedly had a policy of encryption.
Coke is famous for its security, so let’s suppose those 55 laptops were the only 55 assets not encrypted. On average, the nefarious employee stole less than one laptop per month. Suppose, every time the employee discovered an unencrypted laptop, he simply set it aside and then took it home.
Almost daily, we hear someone say their boss only needs a “certificate” for the disposal project. More often than not, this belief comes from their employer’s policy of encryption. The rationale goes: If everything is encrypted, than there is no risk of a breach, right? Wrong.
While it is true, encrypted data is inaccessible; therefore the loss of an encrypted asset should pose no threat of a privacy breach. It is not true to say there is no risk during ITAD if assets are encrypted.
Any loss of a potentially data-bearing asset is a security incident, regardless of encryption. Privacy laws mandate organizations detect and investigate data security incidents.
Coke ignored basic safeguards during IT asset disposition. It is quite possible that Coke’s policy of encryption blinded executives to the bigger risk.
Had Coke not neglected safeguards, the loss of the first laptop would have been detected six years ago. Given Coke’s reputation for security, I’m sure it would have taken measures to prevent the loss of the other 54.
Which reminds me of a wonderful quote by Chesterton: “It isn’t that they can’t see the solution. It is that they can’t see the problem.”