Protect against lost or stolen information with HDD encryption – an overview of risks and countermeasures.


More companies are promoting remote and work-from-home opportunities to address diverse work styles and improve employee productivity. This often requires having company network access on devices while out of the office.

However, the risks to sensitive company data if the laptop is lost or stolen is often a deterrent to implementing this work strategy, and while some companies might allow remote work, they are often not adequately protected.

We have noted IT author, Tomonori Yanagiya, explain the importance of HDD encryption in the case of loss or theft.

Table of Contents

  1. Risks of lost or stolen information and protections available for use of laptop remotely.
  2. BitLocker function on Windows OS.
  3. Checklist for implementing HDD encryption.
  4. Self-encrypting drive (SED) with high-speed operation recommendation.

Risks of Lost or Stolen Information and Protection Available for Laptops.

It is vital to have a quick response time in business today. If you are working outside of the office, network accessibility on a laptop is a must, and herein lies the vulnerability to sensitive company data.

What if the unthinkable happened and an unauthorized third party was able to access company data on your personal device? Not only would your company and personal information be exposed, but also that of your partners and clients, potentially destroying trust and creating vulnerabilities to litigation. Network security is not just the responsibility of your IT department. Let’s take a look at data compiled by NPO Japan Network Security Association (JNSA) in “Research Report on Information Security Incidents 2016”.

# of persons leaked 13,965,227
# of incidents 488
Total reparation of assumed damages 278,879,790,000 yen
# of persons leaked per incident 31,453
Average assumed damages per incident 628,110,000 yen
Average assumed damages per person 31,646 yen

*Taken from “2016 Personal Information Leakage Incident Summary Data” from JNSA’s “Research Report on Information Security Incident 2016 – Personal Information Leakage”.

Leakage Cause Ratio (# of cases)

 

hdd-protection-chart

At least 18.3% of lost, forgotten, or stolen data is considered personal information. Additionally, with the risk of large compensations for damages related to lost or stolen data, it is imperative to prepare for these vulnerabilities to promote modern work strategies and employee productivity.

HDD encryption (hard disk drive encryption) is considered an effective measure of laptop security. HDD encryption does not just encrypt files or folders, but entire hard disk drives, including the OS and system files as a whole.

As there are various components of HDD encryption to consider, we will highlight the points you want to be aware of when implementing these measures.

hdd-protection-image1

About BitLocker Function on Windows OS

BitLocker is the most common HDD encryption service. Since it is an encryption function installed in Windows 10 Pro, it is assumed that many use it exclusively. When BitLocker is enabled, you can encrypt the entire HDD and SSD, and it cannot be decoded unless you have an encryption key. Even if you were to remove the hard disk and connect it to another PC, you would not be able to access the data. Also, in a personal computer equipped with a Trusted Platform Module (TPM) security chip, another layer of security is added by storing the encryption key in the TPM security chip.

How to enable/disable BitLocker Drive Encryption in coordination with TPM function

BitLocker is a Windows 10 Pro OS-equipped function that can enhance security without adding additional cost, which can be a very attractive feature. But BitLocker has limitations. Users with administrator privileges can easily turn off BitLocker encryption, and you do not have the capability to manage multiple computers from a central location. Also, since it is a Windows OS-only function, management is complicated if the company uses both Windows and Apple devices as Apple has a separately supported encryption function called “FileVault”.

Although Microsoft provides Microsoft BitLocker Administration and Monitoring (MBAM) as a dedicated tool that centrally manages BitLocker, license agreement is required for each one, which is costly. BitLocker’s unified management software is also sold by other companies, but you need to carefully consider the company size, operation method, and maintenance.

hdd-protection-image2

Checklist for Implementing HDD Encryption.

When choosing HDD encryption software other than BitLocker, what are the things you should be considering?

Free encryption software that supports both Windows and Apple such as “TrueCrypt” exists, and for small and medium-sized companies free software can be used to reduce costs. If the company is over a certain size, free software is not recommended considering the increased vulnerabilities associated with large operation management.

Points you want to pay attention to when selecting HDD encryption software are:

  • Data encryption range (ability to encrypt full drive and external media)
  • Authorization system
  • Recovery system
  • Management system

The Best Data Encryption Range is Full Drive with External Media Support.

Full drive encryption encrypts all of the HDD including system range and program range as a prerequisite. For example, some software may have unencrypted areas such as system partitions, but with full drive encryption there is no unencrypted area, providing comprehensive security.

Even if the PC is encrypted, encryption may be deactivated if you copy a file to a USB or cloud. Encryption is pointless if data can be lost or stolen when transferring to a USB, so we recommend software that can keep information encrypted when sharing to external media while outside the company.

How to Distinguish Between SSO (single sign-on), Two-step Authentication, Network Authentication, etc.

Authorization systems divides security into OS authentication, “two-step authentication system” authenticated by encryption software, and SSO (single sign-on), which only requires one authentication to coordinate with the OS. Some products also allow for system network authentication at this stage.

For example, if it is possible to connect to the network, you can make it unnecessary to authenticate, or conversely, if you cannot connect to the network, you can make it impossible to authenticate even with an authorized ID and password. In other words, in-house work can save time by bypassing certification, but it is necessary to always use secure certification for external use, so that you can protect your data on a case-by-case basis. Despite this work around, if you do two-step authentication every time, you might forget the password and reduce productivity, so it is important to consider efficiency for the authentication system as well.

Reduce Loss of Productivity from Forgotten Passwords.

Due to the typical recovery procedure employed if the user forgets a password, work processes can be stalled from not being able to access encrypted data because of layered security protocols. Some administrators, however, are given the capability to recover the password easily or issue a temporary password as a resolution.

Company Size and Work Content Determine the Appropriate Management System.

Most software can be managed from a dedicated network server or in the cloud, but because some items use existing file servers from various products, the number of targets to manage increases, which then takes more time to configure. Company size, types of use, and whether you are combining devices with OS and Apple encryption are key when choosing the appropriate management system.

hdd-protection-image3

Self-encrypting Drives (SED) Capable of High-speed Operation are Recommended.

On a personal computer built-in data is encrypted first when you install HDD software. This process can be inefficient, taking several minutes to encrypt just 1 GB, and is counterproductive since the reason you are adding layers of security is to improve and diversify productivity.

The speed of a Self-Encrypting Drive (SED) is unrivaled, makes the initial OS system encryption process unnecessary, and since the encryption key is housed in the SED, breaking the code is extremely difficult.

When using a SED it is important to remember that if you remove it from the main device and connect it to another PC, you rewrite the encryption key and won’t be able to retrieve previous data, but the risk of lost or stolen data with be eliminated. Also, it is recommended that you destroy the drive and overwrite or erase data when you dispose of the SED. In short, the ability to rewrite the encryption key to remove access to data heightens productivity on front and back ends at a lower cost.

hdd-protection-image4

The initial cost outlay for installing encrypted products might be a burden to some users. However, as diverse work place strategies and productivity increase, losses from not implementing remote work opportunities will be greater. When a company promotes innovative security measures such as HDD encryption, they create a safer, more user-friendly work environment that motivates employees to be innovative as well.


This article was translated to English and was originally published in Japan.
https://workit.vaio.com/i-how-to-prepare-for-lost-notebook-computer/