Online security goes mobile by Stephanie N. Mehta @FortuneMagazine January 11, 2010, 3:28 PM EDT E-mail Tweet Facebook Google Plus Linkedin Share icons “Unfettered” shouldn’t mean unconcerned about mobile hacks. By David Jevans, CEO, Iron Key Jevans: Mobility can mean more chances for security breaches. Photo: IronKey. It’s a mobile, mobile mobile, mobile world: More and more of us are using laptop computers, Apple (AAPL) iPhone’s, Research in Motion (RIMM) BlackBerrys, USB flash drives and other portable computing and storage devices in our day-to-day lives. Many freelancers and consultants bring their laptops to Starbucks coffee shops, and treat it as their virtual office. And it’s not just consumers and consultants who are adopting a mobile computing lifestyle. Companies and government agencies are trying to become more agile and efficient, and increasingly are relying on productivity gains that come from a more mobile workforce. According to industry analyst firm IDC, there will be over 1 billion mobile workers by 2011. That means there will be at least 1 billion portable computing and storage devices that will contain work and personal data. The overall productivity gains sound impressive, but have you ever thought about what could happen if one of those portable computing or storage devices were to be lost or stolen? When you think about what is stored on your laptop, flash drive or smartphone, you might start to think twice about how you can improve the security of that information in case of loss or theft. Intellectual property, customer data and company financials are the top three concerns for data loss by companies. The Ponemon Institute recently completed a survey of over 900 corporate users of information technology in US companies, and asked them about data loss from mobile computing devices: 43 percent have lost a device that contained company data. 32 percent of those people didn’t report the loss or theft in a timely fashion. USB flash drives (“thumb drives”) were the top item that was lost (33 percent), followed by CDs/DVDs (31 percent), BlackBerry’s or iPhone’s (20 percent) and laptop computers (5 percent). Why you should be worried It is human nature to think “it won’t happen to me.” But the reality is that losing mobile devices happens more often than we think, and the impact to a company’s reputation and finances can be severe. In October 2009, a laptop was stolen from Halifax Health. That laptop contained the personal information of 33,000 patients. Halifax Health had to notify all of those patients, and tell them to sign up for credit monitoring services. Earlier in the month, the Virginia Department of Education announced that an employee had lost an unencrypted USB flash drive containing the personal information of 100,000 current and former students of Virginia Tech. The State treated it as a serious data breach, and had to expend considerable resources to contact all 100,000 of those people. Even the military can make mistakes. Lost flash drives from US military servicemen have been found for sale in street markets in Iraq. In December 2009, a laptop was stolen from inside the United Kingdom’s Ministry of Defense. It’s not just a businesses reputation that is at stake. In January 2009, the U.S. Veterans Affairs Department agreed to pay $20 million to settle a class-action lawsuit filed by veterans over the risk of potential identity theft, when a VA laptop PC that contained their sensitive information was stolen in 2006. Security firm McAfee estimates that losses of intellectual property, through lost and stolen devices, as well as Internet attacks, cost companies up to $1 trillion per year. Can you keep the loss of data private? If a private citizen has their laptop or smartphone stolen, they may simply suffer the expense of replacement and the hassle of restoring data from a backup. However, employees of companies face a different set of circumstances if that lost device contains customer data. California was one of the first states to pass a law, SB-1386, which requires companies to notify consumers should their data be lost or leaked. Similar legislation has now been enacted in many other states. In fact, in a survey of 323 IT managers and top executives, 79 percent of respondents stated that every day they work with data that, if lost, would by law require their organization to publicly notify potential victims. Federal lawmakers are now discussing mandating data breach notifications as a Federal law. The best way to protect yourself and your data, is with the use of encryption. Encryption is a technology that scrambles the data on your laptop, phone or thumb drive, so that if the device is lost or stolen, only someone who knows the correct password can unlock the device and unscramble the data. Encryption is built into the Apple Mac OSX. It’s called FileVault, and it’s very easy to use. Microsoft’s Windows 7 operating system also offers built-in encryption, called BitLocker. There are also encryption options for many smartphones, and USB thumb drives like IronKey that offer embedded hardware-encryption capabilities. Despite this wide availability of encryption technology, a recent report by InformationWeek showed that only 38 percent of companies encrypt data on portable devices. This is an attitude that’s got to change. Encrypting our mobile computing devices is something that companies and individuals alike must start to do. Just like using a seatbelt and airbags, we hope that something bad won’t happen to us, but we’re all very glad to have the protection if something goes wrong. Jevans is CEO of IronKey, a Los Altos, Calif.-based maker of secure flash drives. He has spent more than 10 years in senior roles at Internet security concerns.