Failure to encrypt portable devices inexcusable, say analysts
Breaches such as the one involving BP oil spill claimants show why encrypting data on portable devices is a no-brainer
Computerworld - The continuing failure of many enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a potential data compromise involving a lost laptop.
The computer contained unencrypted personal data such as names, Social Security numbers and dates of birth belonging to about 13,000 people who had submitted claims with the company related last year's Gulf of Mexico oil spill.
According to BP, an employee lost the laptop while on routine business travel.
The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks and other mobile devices account for a substantial portion of breaches these days.
For example, statistics maintained by the Privacy Rights Clearinghouse indicate that about 30 of the 144 data breaches announced so far this year involved portable devices.
Security analysts have long pushed the use of encryption as one of the most effective ways of protecting data on portable devices, especially laptops, against breaches that could occur if a device is lost or stolen.
But a distressingly large number of companies have continued to ignore that advice -- some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.
"There really is no excuse for not encrypting laptops," said Avivah Litan, an analyst at Gartner.
Enterprises that buy in volume can get encryption products for as little as $15 per laptop, so cost shouldn't be an issue, Litan said.
Similarly, while it's true that full disk encryption can affect laptop performance, the trade-off is that you get better security, and that's fully worth it, she said.
"Enterprises that are not putting in laptop encryption are just being lazy," said Litan.
If nothing else, the growing cost of data breaches should be pushing companies to adopt portable encryption more aggressively, say analysts. A Ponemon Group report released last month states that companies that experience data breaches these days can end up paying close to $214 per compromised record on average.
"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst at Spire Security.
The only legitimate reason that companies might have for not encrypting all of their laptops is that encryption involves management overhead. But even so, instead of complaining about overhead, enterprises should be doing more to push vendors for products that are easier to manage, he said.
"I am not a fan of regulations in general, so I'm not ready for a [government] mandate" requiring laptop encryption, Lindstrom said. "However, some sort of penalty on loss might be in order."
Darren Shimkus, a senior vice president at security vendor Credant, said that it's surprising that even companies the size of BP don't encrypt their laptops as a matter of course these days. "It simply is not happening in the manner you would expect," he said.
That lack of adoption is a problem not just in the private sector, but also within the federal government.
In 2006, when an employee at the U.S. Department of Veterans Affairs lost a laptop and several storage disks containing personal data on more than 26 million veterans, the Office of Management and Budget issued a memorandum requiring all agencies to encrypt sensitive data (download PDF) on portable devices.
Today, nearly to five years later, several federal agencies are still not even close to compliance, according to an OMB report to Congress (download PDF) released earlier this month.
While several agencies have reported 100% compliance, and many others are well on their way to achieving full compliance, the governmentwide compliance average is still just a little more than 54%.
Numerous products are currently available that allow organizations to encrypt data at the disk level and at the file level fairly easily and cost-effectively. Yet many enterprises appear to be holding back because of outdated perceptions relating to the deployment and management costs associated with encryption, Shimkus said.
Concerns about key management for instance, continue to be a big issue for companies even though some vendors have made considerable progress in this area over the past several years, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
Read more about Data Security in Computerworld's Data Security Topic Center.
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Adobe Creative Cloud for teams Security Overview This white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and your...
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!