[Update July 23, 2010: The Ministry of Defense responds to these disclosures of mobile device losses in eWeek Europe's coverage of the story. Interesting reading. Find the entire story, including the MoD's response here: MoD Loses 340 Laptops in Two Years. Among other comments, an MoD spokesperson told eWeek:

“Yes the figures are high, but it should be remembered that the figures come from a two year period between June 2008 and May 2010. A lot of encryption technologies was brought in later in this period, and procedures such as how laptops are booked in and out, have they been encrypted, have been tightened up.”]

Proofpoint's public relations and research partner in the UK, LEWIS PR, issued an announcement today reporting findings from a UK Freedom of Information request about the frequency of equipment and data losses from lost or stolen equipment.

One of the most shocking findings? Britain's Ministry of Defense lost - or had stolen - 340 laptops in the past two years and less than half of those devices used encryption to protect the data they stored. The cost of the equipment is estimated at more than half a million UK pounds.

And it's not just laptops that went missing: Hundreds of CDs, DVDs, memory sticks, hard drives and mobile phones also were lost.

The full release has info on many more UK government agencies that were hit by extensive mobile device losses or thefts. As I've mentioned here repeatedly, these types of losses are quite frequent. For example, Proofpoint's 2009 annual research on data loss risks showed that more than 20% of large US enterprises investigated the exposure of confidential, sensitive or private information via a lost or stolen mobile device or storage media in the previous 12 months. And while I'm still analyzing the data, the 2010 statistics show an increase over previous years.

This news has been widely reported in the UK IT press today, including SC Magazine, where I'm quoted as saying of these losses:

"While the value of the lost and stolen equipment is staggering, the potential losses of private information about and belonging to UK citizens, classified government information and other non-public information could easily be several times greater. That only 20 per cent of the devices lost from the MoD were protected by encryption is shocking. Organisations of all types need to be aware that, after leaks via email, lost and stolen mobile devices are one of the top sources of data breaches.”

NetworkWorld's Ellen Messmer has a really interesting article posted yesterday at NetworkWorld, reporting from Gartner's Security & Risk Management Summit (where Proofpoint is exhibiting, booth #27, BTW). In "Too many data-loss prevention tools become sheflware, says analyst", Messmer relates highlights of a presentation by Gartner DLP, security and encryption analyst Eric Ouellet, in which he talks about the challenges that many organizations face when deploying enterprise DLP solutions.

Of particular note, Ouellet discusses how many DLP deployments go awry because there's not enough involvement from business units who actually own responsibility for setting up and enforcing policies. "Organizations underestimate the need for the involvement of non-IT business units," Oullet says.

The whole article is worth a read and it provides an interesting "proof point" for something that we've been noting for quite a while... That multi-channel, enterprise DLP deployments (that involve the deployment of endpoint, network and discovery tools) are often more difficult and costly for organizations than they can really manage.

As an alternative, Proofpoint has long argued for a more pragmatic approach to DLP whereby the biggest risk vectors are addressed first (and, as I've noted many times, email continues one of the most significant channels for data loss - and one of the least controlled).

Rather than belabor that point here, I'd refer interested readers to this replay of an April 2010 web seminar featuring Proofpoint's Ken Liao, where Ken talks presents on precisely this topic:

Register for Brighttalk webinar replay: A Pragmatic Approach to Compliance with Policy-Based Encryption

Back to the NetworkWorld article, analyst Eric Ouellet is also quoted on the issue of "enterprise DLP" versus "channel DLP" (that is, addressing the DLP concerns in a specific protocol/channel, such as email):

... the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.

The distinction between enterprise and channel DLP is discussed briefly in Gartner's 2010 Magic Quadrant for Secure E-mail Gateways, which also gives some detail on the DLP capabilities of each vendor in the email security market, including Proofpoint. You can view a copy of that magic quadrant, compliments of Proofpoint, by visiting:

http://www.proofpoint.com/magicquadrant

Proofpoint email encryption specialist Ken Liao will be presenting a live web seminar on Thursday, April 29th 2010 on the topic of "A Pragmatic Approach to Compliance with Policy-based Encryption" at 9 a.m. PT / Noon ET.

Ken's a great presenter and if you're at all concerned about email as it relates to compliance with data privacy regulations, you won't want to miss this online event. Here's the brief overview of what Ken will cover:

Email continues to be the number one source of data loss risks. If your organization handles data governed by regulations such as PCI, HIPAA or GLBA, you need to ensure that your email system can protect sensitive information from improper exposure, while also enabling secure communication your customers, clients and business partners. Join this discussion to learn more about requirements for protecting sensitive data in email. You’ll learn how automatic, policy-based email encryption can provide effective protection for sensitive information in email and why it be should be a central part of your approach to compliance. 

To attend, please register by visiting the following URL and clicking the "Register for this event" link:

http://mediazone.brighttalk.com/event/Proofpoint/f87e955fd6-3782-intro

Earlier this week, the US Department of Health and Human Services (HHS), which is now charged with enforcing the US healthcare privacy laws known as HIPAA and HITECH, began posting a list of organizations that have notified the HHS about breaches of unsecured health information that affected more than 500 individuals (as required by section 13402(e)(4) of the HITECH Act, which requires the Secretary of the HHS to "post a list of breaches of unsecured protected health information affecting 500 or more individuals.")

The editors of HealthcareInfoSecurity.com (which is an awesome resource, BTW) have a good summary in their article, "Breach Reports: We've Only Just Begun."

You can find the HHS's list of reported breaches here:

HHS: Healthcare Information Breaches Affecting 500 or More Individuals

Causes for these breaches run the gamut from thefts of paper printouts, hacks and misdirected email messages to losses or thefts of laptops and mobile devices (which would seem to be the most common problem from my cursory scan of the list).

If you're interested in HIPAA/HITECH compliance issues and how they impact email security, you should check out the replay of Proofpoint's recent web seminar, "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" at:

http://www.proofpoint.com/id/beyondhipaa/index.php.

Some of that same information is covered in whitepaper form in our paper of the same name. You can download that whitepaper here:

Whitepaper: HIPAA and Beyond - An Update on Healthcare Security
Regulations for Email, 2009

So the big IT news this week is, of course, the launch of Microsoft's Windows 7 operating system tomorrow (Thursday, October 22, 2009). While the jury's still out on whether widespread Windows 7 adoption will improve security in a global sense, it does look like there are some solid new security features that could definitely help decrease malware propagation as well as preventing data breaches from lost or stolen devices (with the inclusion of BitLocker drive encryption that can now support USB removable devices, i.e., "BitLocker to Go").

PC World has a nice overview of some of the core Windows 7 security features including a short primer on how to protect drives with BitLocker. This seems like one of the most dramatic improvements to me (as our own research found that more than 20% of large enterprises investigated a data breach due to lost or stolen devices and media in just the past 12 months). Find that overview here:

PC World: A Guide to Windows 7 Security

CNET's download.com site has a slideshow tour of some of the security-related interfaces in Windows 7 including shots of the security Action Center and User Account Control panel with some easy-to-digest commentary:

CNET: Security in Windows 7 Slideshow

Of course, some things haven't changed over previous versions of Windows. Our friends at F-Secure have previously pointed out that the Windows Explorer default of hiding file extensions for known file types represents a security problem because that makes it more likely for users to inadvertently run malware executables that are masquerading as document or media files (e.g., GIFs, JPEGs or WMVs).

This default continues in Windows 7. Personally, I don't know how folks can even deal with Windows when you can't see file extensions and this is one of the first things I change on a new system or fresh Windows install.

Find F-Secure's commentary on this issue here:

F-Secure Blog: Windows 7 Fail

I haven't had much time to mess about with Windows 7 yet, though I've been pretty impressed with it based on my experience installing the 64-bit version of the Win 7 beta on a new drive. It definitely offers snappier performance over XP on the same hardware and the ability to address huge amounts of memory is a huge win for folks like me who do a lot of multimedia work.

That being said, as with any new install of Windows, your first stop should after installation of Win 7 should be to install a good desktop anti-virus solution. I was pleased to find that F-Secure's Internet Security 2010 already supports Windows 7 (both 64-bit and 32-bit versions) and installed with no hassles. I'm sure that many of the other major anti-virus solutions offer the same support, but I continue to be a big fan of F-Secure because it's very effective, doesn't hog system resources and has a slick user interface.