I know I'm not the only one annoyed by these frequent (and often, seemingly disastrous) data security breaches, which endanger millions of people's private information. I get questions all the time asking how to fix the problem.
Start by selling all of your laptops. And while you're at it, get rid of most of your employees. When you think about it, the single most significant contributor to these breaches is mobility. The second biggest issue is the people themselves. So if you take away their mobility and fire a large portion of them, the likelihood that you'll be breached goes down dramatically, no?
You think I'm kidding? How many of these breaches are a result of stolen laptops? Probably 80 percent - and the other 20 percent are a direct result of the stupidity of employees who've put private data on their home machines or fallen prey to sophomoric social engineering attacks.
So if all your employees are gone, then you're not vulnerable. And if you have no employees, then you don't need any laptops either.
You say you need those employees? Getting rid of all your laptops isn't an option? I guess my master plan is pretty much screwed. Curses, foiled again!
But what you can do is tighten up the security around these two most significant leakage points (the laptops and the people).
Firstly, make sure private data doesn't get down to laptops and USB ports. To make this happen, you need tighter database security (including better access control and auditing on the data stores). If you've got any staff with a legitimate business reason for having private information on a machine that leaves the premises, make sure you lock it down.
Whole-disk encryption is a start. An enterprise-class policy-driven mechanism to selectively encrypt sensitive data and enforce endpoint security is optimal.
Secondly, train your folks better. I've found that most employees simply don't realize they're doing anything wrong.
Security education needs to be ongoing and consistent, and it's not. We're reaping what we've sown through years of ineffective training, mostly driven by lawyers trying to communicate useless policies to limit liability. That's all very well, but avoiding the problem in the first place is a much better option than running damage control once disaster has struck, don't you think?