Failure to encrypt portable devices inexcusable, say analysts
Breaches such as the one involving BP oil spill claimants show why encrypting data on portable devices is a no-brainer
Computerworld - The continuing failure of many enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a potential data compromise involving a lost laptop.
The computer contained unencrypted personal data such as names, Social Security numbers and dates of birth belonging to about 13,000 people who had submitted claims with the company related last year's Gulf of Mexico oil spill.
According to BP, an employee lost the laptop while on routine business travel.
The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks and other mobile devices account for a substantial portion of breaches these days.
For example, statistics maintained by the Privacy Rights Clearinghouse indicate that about 30 of the 144 data breaches announced so far this year involved portable devices.
Security analysts have long pushed the use of encryption as one of the most effective ways of protecting data on portable devices, especially laptops, against breaches that could occur if a device is lost or stolen.
But a distressingly large number of companies have continued to ignore that advice -- some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.
"There really is no excuse for not encrypting laptops," said Avivah Litan, an analyst at Gartner.
Enterprises that buy in volume can get encryption products for as little as $15 per laptop, so cost shouldn't be an issue, Litan said.
Similarly, while it's true that full disk encryption can affect laptop performance, the trade-off is that you get better security, and that's fully worth it, she said.
"Enterprises that are not putting in laptop encryption are just being lazy," said Litan.
If nothing else, the growing cost of data breaches should be pushing companies to adopt portable encryption more aggressively, say analysts. A Ponemon Group report released last month states that companies that experience data breaches these days can end up paying close to $214 per compromised record on average.
"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst at Spire Security.
The only legitimate reason that companies might have for not encrypting all of their laptops is that encryption involves management overhead. But even so, instead of complaining about overhead, enterprises should be doing more to push vendors for products that are easier to manage, he said.
"I am not a fan of regulations in general, so I'm not ready for a [government] mandate" requiring laptop encryption, Lindstrom said. "However, some sort of penalty on loss might be in order."
Darren Shimkus, a senior vice president at security vendor Credant, said that it's surprising that even companies the size of BP don't encrypt their laptops as a matter of course these days. "It simply is not happening in the manner you would expect," he said.
That lack of adoption is a problem not just in the private sector, but also within the federal government.
In 2006, when an employee at the U.S. Department of Veterans Affairs lost a laptop and several storage disks containing personal data on more than 26 million veterans, the Office of Management and Budget issued a memorandum requiring all agencies to encrypt sensitive data (download PDF) on portable devices.
Today, nearly to five years later, several federal agencies are still not even close to compliance, according to an OMB report to Congress (download PDF) released earlier this month.
While several agencies have reported 100% compliance, and many others are well on their way to achieving full compliance, the governmentwide compliance average is still just a little more than 54%.
Numerous products are currently available that allow organizations to encrypt data at the disk level and at the file level fairly easily and cost-effectively. Yet many enterprises appear to be holding back because of outdated perceptions relating to the deployment and management costs associated with encryption, Shimkus said.
Concerns about key management for instance, continue to be a big issue for companies even though some vendors have made considerable progress in this area over the past several years, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Teen nabbed in Heartbleed attack against Canadian tax site
- Heartbleed bug can expose private server encryption keys
- FTC can sue companies hit with data breaches, court says
- 5-year-old hacks Xbox, now he's a Microsoft 'security researcher'
- State AGs probe Experian subsidiary's data breach
- NSA sniffing prompts Yahoo to encrypt traffic between its data centers
- Banks withdraw data breach claim against Target
- Bank abandons place in class-action suit against Target, Trustwave
- Banks' suit in Target breach a 'wake-up call' for companies hiring PCI auditors
- Gameover malware takes aim at Monster.com and CareerBuilder.com
Read more about Data Security in Computerworld's Data Security Topic Center.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Data Security White Papers | Webcasts