Securing Sensitive Data on your Laptop

If ideal security was cheap, easy to use and didn’t get in the way, we would all have it.

One would hope to be able to provide a simple list of options that anyone could implement at minimal cost and all key security risks would be eliminated. Unfortunately, no such list exists and it would be highly negligent to suggest such a list. A list of basic measures (see tips at the end of this article) can be provided, but it would not always be enough, depending on the circumstances.

The simple truth is that security is costly — not just in dollar terms, but also in terms added steps or complexities when accessing information. In practical terms, we need to find the right balance. For example, encrypting files and then losing the encryption keys can be disastrous. It is not just a matter of identifying the strongest technology and applying it.

How much security is enough?

We all know intuitively that a basic wooden front door could be forced open or broken with a few basic tools and not much effort. So why do we not all have steel reinforced doors? Put simply, the reason is that we do not believe the risk is sufficient to justify the expense. If, however, we had our life savings stored at home, we may feel the need for a steel door.

That is not to say we should not always take security seriously, rather, that we need to be fully aware of what the real impact may be if data were compromised and investment in security controls were made accordingly. There is not much point paying for an expensive security solution that imposes costs and restrictions which exceed any potential impact if data were compromised.

Step 1: How sensitive is the data?

First, the sensitivity of what is being protected should be understood. If the data was disclosed to the public, lost or corrupted, what would the impact be? Could it affect people’s safety? Could it result in direct or indirect financial loss? Are legal penalties a realistic possibility?

For example, consider a school report on a teacher’s laptop. Certainly inappropriate disclosure should be avoided, however, would disclosure of this information have a significant impact compared with student’s medical information? Are parents likely to sue?

Step 2: Evaluate and select controls

Selecting control is a balancing act. In simple terms, if the data is very sensitive, then controls (in combination) also need to be very strong, that is, it should have less residual exposure.

Some schools, for example, now provide online access to parents, using basic control passwords, to school reports. On the surface this may seem risky, but closer examination may actually reveal that school reports are not as sensitive with comparison to other data. Therefore, basic password controls are more than adequate as a control. Similarly, if this data were on a laptop, then password and basic encryption protection measures are also likely to be reasonable.

Clearly, if controls were applied properly based on reputable methods, then in the unlikely event of a serious breach, serious penalties based on negligence would be unlikely to be imposed.

The following guidelines from the Office of the Victorian Privacy Commissioner regarding Data Security provide a good insight into what are defined as “reasonable” steps to secure data.

“When considering “reasonableness” in the security context, factors which may be relevant include:

• the workability of the safeguards
• the cost of the safeguards
• the risks involved
• the sensitivity of the information and
• the other safeguards in place.”