Based on a recent study by the research firm Ponemon Institute it was reported that, “Despite the best efforts of IT departments, business managers continue to disengage, or turn off, their laptops’ encryption solution – exposing company information to thieves should the computer go missing.” This is a concern, especially given the increase in sensitive data being made more broadly available (electronic health records, mobile computing…) and the continuing reports of lost or stolen laptops, but there was some that I found even more concerning…
In the report was the statement, “33% of IT practitioners believe encryption makes it unnecessary to use other security measures, whereas 58 percent of business managers believe this to be the case”. One third of the IT people and over half of the business people believe that encryption is the only security measure needed? Without effective management of access, how can you truly protect sensitive information in an organization? It’s like locking a door and not being sure who has a key.
In the report Dr. Larry Ponemon does state, “This study shows that business managers may be overly reliant on encryption to keep confidential information safe and secure”. That’s absolutely true and it’s clear that the combination of preventive AND detective controls are required to effectively manage the risk of inappropriate access to information.
The goal of any Access Assurance strategy is to assure that only the right people get the right access to the right resources and are doing the right things with it. So, are you taking a balanced approach?