Data security: Coach 71, seat 45. In the train across from Steen is a middle-aged man in a suit. He introduced himself briefly when taking his seat – something about auditing foundation-owned companies – but Steen’s thoughts were somewhere else:
He is headed to a board meeting to present the accounts. The PowerPoint file is ready on the computer desktop, and he knows it from memory. Steen folds up the computer and closes his eyes – maybe just a 5-minute rest before arriving.
‘Copenhagen Central Station’, the speaker crackles, and Steen opens up his eyes. He must have been dozing off. The auditor across from him is gone. The same is Steen’s laptop with the annual accounts right there on the desktop!
There are two possible outcomes: Either the
IT department encrypted Steen’s computer, or they risk all of Steen’s local
files to end up in the wrong hands.
All devices must be encrypted to maintain data security
For the 15 years that I have been working with IT and data security, I have yet to see a company that can honestly say that their employees never save files locally on their computers – in spite of their IT policy. Although data security has gotten special attention after the implementation of the GDPR regulation, employees – but also the management – continue to be the weakest link in IT security.
IT managers therefore do not have a choice when it comes to securing data: All devices must be encrypted.
When Microsoft introduced the encryption tool BitLocker, it was with data security in view. Although BitLocker is a free tool that comes with Windows 10 as standard, its implementation is not without challenges.
If you want to secure your data with BitLocker – and also trust it to work – three things are required:
- All devices must have the maturity to be encrypted
- You need to monitor whether the devices will remain encrypted
- BitLocker recovery keys must be saved centrally so that an employee’s hard disk can be unlocked if the employee loses access.
It must be possible to monitor BitLocker encryption from one centralised location
Most organisations I talk to need the possibility of encrypting the entire inventory from a central IT department. Obviously, it is also possible to use the ‘sneakers’ method and walk around to all employees to check and mature their devices and encrypt them one by one.
However, the ‘sneakers’ method is linked to two imminent problems. Of course, there is the time aspect, but you do in fact also lose control as soon as you leave the computer you have just encrypted.
And what is worse, you don’t know whether your colleague’s device will stay encrypted once you leave the room.
Especially that last point is important if you look at data security from a GDPR point of view. Being the IT manager, you must be 100 % confident that all of your personally and business sensitive data are protected. If you are not certain whether all devices are encrypted, you really do not know if that is the case.
For IT managers of companies, it is therefore alpha and omega to have the possibility of initiating and monitoring the encryption of each device from one centralised location while having access to the recovery keys of each device so that all colleagues can be supported.
A stolen computer is not necessarily a security breach
To Steen, the story had a happy ending.
Following a rebuke from the IT manager to never save files locally, they were able to restore a backup so that Steen could do his presentation from a different computer.
The IT manager was able to assure Steen on the phone that although he had failed to observe the company’s data policies, his computer was encrypted, and no files on the desktop or anywhere else on the computer were accessible to hackers.
Although Steen’s already long day became a little longer, the stolen computer was nothing but a pile of hardware – nothing else.