The continuing failure of many enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a potential data compromise involving a lost laptop.
The computer contained unencrypted personal data such as names, Social Security numbers and dates of birth belonging to about 13,000 people who had submitted claims with the company related last year's Gulf of Mexico oil spill.
According to BP, an employee lost the laptop while on routine business travel.
The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks and other mobile devices account for a substantial portion of breaches these days.
For example, statistics maintained by the Privacy Rights Clearinghouse indicate that about 30 of the 144 data breaches announced so far this year involved portable devices.
Security analysts have long pushed the use of encryption as one of the most effective ways of protecting data on portable devices, especially laptops, against breaches that could occur if a device is lost or stolen.
But a distressingly large number of companies have continued to ignore that advice -- some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.
"There really is no excuse for not encrypting laptops," said Avivah Litan, an analyst at Gartner.
Enterprises that buy in volume can get encryption products for as little as $15 per laptop, so cost shouldn't be an issue, Litan said.
Similarly, while it's true that full disk encryption can affect laptop performance, the trade-off is that you get better security, and that's fully worth it, she said.
"Enterprises that are not putting in laptop encryption are just being lazy," said Litan.
If nothing else, the growing cost of data breaches should be pushing companies to adopt portable encryption more aggressively, say analysts. A Ponemon Group report released last month states that companies that experience data breaches these days can end up paying close to $214 per compromised record on average.
"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst at Spire Security.
The only legitimate reason that companies might have for not encrypting all of their laptops is that encryption involves management overhead. But even so, instead of complaining about overhead, enterprises should be doing more to push vendors for products that are easier to manage, he said.
"I am not a fan of regulations in general, so I'm not ready for a [government] mandate" requiring laptop encryption, Lindstrom said. "However, some sort of penalty on loss might be in order."
Darren Shimkus, a senior vice president at security vendor Credant, said that it's surprising that even companies the size of BP don't encrypt their laptops as a matter of course these days. "It simply is not happening in the manner you would expect," he said.
That lack of adoption is a problem not just in the private sector, but also within the federal government.
In 2006, when an employee at the U.S. Department of Veterans Affairs lost a laptop and several storage disks containing personal data on more than 26 million veterans, the Office of Management and Budget issued a memorandum requiring all agencies to encrypt sensitive data (download PDF) on portable devices.
Today, nearly to five years later, several federal agencies are still not even close to compliance, according to an OMB report to Congress (download PDF) released earlier this month.
While several agencies have reported 100% compliance, and many others are well on their way to achieving full compliance, the governmentwide compliance average is still just a little more than 54%.
Numerous products are currently available that allow organizations to encrypt data at the disk level and at the file level fairly easily and cost-effectively. Yet many enterprises appear to be holding back because of outdated perceptions relating to the deployment and management costs associated with encryption, Shimkus said.
Concerns about key management for instance, continue to be a big issue for companies even though some vendors have made considerable progress in this area over the past several years, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.