Following yet more revelations concerning lost or stolen mobile systems from government bodies, the focus is again on security and how companies can prevent sensitive data from being leaked in such cases.

The most recent scandal surrounds the revelation that nearly 500 government laptops and other mobile devices have gone missing since 2001, but this is just the latest in a series of such cases involving commercial organisations as well as the public sector. It would seem that IT departments need to take a fresh look at security measures for laptops and portable storage, but where should they start?

One of the root causes of many data loss incidents is that organisations are simply not aware of how sensitive information is being used, according to Butler Group senior research analyst Andy Kellett. “In the case where a laptop has been stolen, do you know what information was on it? Do you know where users are storing data across your systems and networks?” he asked.

In most organisations, the answer is no, because the facilities to provide and understand this kind of tracking information simply do not exist, he said.

And while encryption can provide part of the solution, there seems to be a widespread perception that encryption is complex, costly and applicable for use only in highly secure environments, Kellett added.

“There’s a culture of, ‘We’re not in that kind of business’, but many more regulations have come into force recently that say if you keep certain types of data, you need to take steps to protect it,” he said.

In fact, encryption is gradually becoming more and more mainstream, but there are issues around making it operate transparently for users and ensuring that policies are properly enforced.

One policy that firms might follow is to operate full disk encryption to protect laptops used by key mobile workers. Microsoft includes the BitLocker tool in Windows Vista to provide this support, but this is only available in the Enterprise and Ultimate editions of the platform.

For other platforms, such as Windows XP, companies will have to rely on third-party tools, such as the open-source TrueCrypt software, and similar solutions from firms such as Wave Systems, Safeboot and Check Point.

Alternatively, Seagate offers laptop hard drives with an integrated security chip that can perform encryption of data on-the-fly. NEC announced in December that it would make these drives an option in its Versa laptop range, with management tools provided by Wave Systems to enable administrators to initialise a drive over the network.

These two approaches are similar, but having support for encryption in the drive hardware offloads this task from the processor and also adds a layer of protection, as the keys stored within the drive cannot be accessed by an attacker even if it is removed from a stolen laptop.

However, if a laptop known to contain highly sensitive data should go missing, business chiefs are likely to derive small comfort from the knowledge that the hard drive is encrypted. With enough time and effort, virtually any security measures can be bypassed, according to experts.

Dave Brooker, managing director of security firm Virtuity said that while a lot of people put their faith in encryption, a company or government department cannot be sure that a thief will not be technically sophisticated enough to break the code.

Virtuity is one of several firms selling products or services that give administrators the ability to remotely wipe a missing system. In this case the tool, BackStopp, uses the internet or a GSM mobile connection to link with Virtuity’s server, so that a laptop reported as stolen will receive a command to wipe itself when it is turned on.

Products such as the OmniAccess 3500 Nonstop Laptop Guardian from Alcatel-Lucent take this a step further. Launched in February, this is a PC Card GSM modem that doubles as a management node and also stores encryption keys for the laptop hard drive. This means that the laptop cannot be booted without the card present, ensuring that it can be reached by the administrator and remotely wiped if necessary.

While such solutions as these guard against loss or theft, organisations also need to be reminded that the biggest threats often come from inside the corporate firewall rather than outside of it.

If multiple people have access to the same computer, then full disk encryption cannot guard against employees accessing some data that they should not have seen. For example, IT staff often have full access to all employee computers for maintenance and support reasons. This means there is a need for individual files and folders to be encrypted if they contain especially sensitive information.

“What if you’re the finance director, with documents relating to a takeover on your hard drive? Even with full disk encryption, you still need to secure things,” said David Tomlinson, managing director of Data Encryption Systems (DES).

His firm is planning an updated version of its Deslock+ tool to support just this scenario. Credant Technologies also announced version 6.0 of its Mobile Guardian last month with similar capabilities.

Another factor companies need to consider is that employees may be handling data in ways that they should not, such as taking files away to work on at home. Often this is done out of good intentions, according to Kellet, but could lead to employees unwittingly putting their company at risk unless there are controls.

“It’s easy to stick in a USB drive and take away files you need, but people shouldn’t be able to take away the entire customer database to work on at home,” he said.

Staff awareness training can go some way to stemming such incidents, but organisations may also need to put in place measures to stop data being copied to removable storage.

Many such tools are widely available, as analysts and other industry comment ators pointed out following the HMRC’s loss of Child Benefit records last year. Products such as Check Point’s Endpoint Security and Centennial Software’s DeviceWall enable firms to set policies governing who can access removable storage, and restrict use to authorised company equipment if required. Many such tools can also enforce encryption of anything stored on devices such as USB Flash drives.

“Frustratingly, many of the systems and processes already exist that would have ensured this did not happen. Such measures include improved staff awareness training and monitoring and, where appropriate, encryption both on media and through secure email channels,” said Dave Martin, security consultant at LogicaCMG.

Not all of the measures outlined will be necessary in all companies, or across all employees, but IT managers need to at least look at how data is being used in their organisations, and take any necessary steps to ensure they comply with the law.

“I think a basic first step is to understand where your vulnerabilities lie with respect to regulations,” said Kellett.