Failure to encrypt portable devices inexcusable, say analysts
Breaches such as the one involving BP oil spill claimants show why encrypting data on portable devices is a no-brainer
Computerworld - The continuing failure of many enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a potential data compromise involving a lost laptop.
The computer contained unencrypted personal data such as names, Social Security numbers and dates of birth belonging to about 13,000 people who had submitted claims with the company related last year's Gulf of Mexico oil spill.
According to BP, an employee lost the laptop while on routine business travel.
The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks and other mobile devices account for a substantial portion of breaches these days.
For example, statistics maintained by the Privacy Rights Clearinghouse indicate that about 30 of the 144 data breaches announced so far this year involved portable devices.
Security analysts have long pushed the use of encryption as one of the most effective ways of protecting data on portable devices, especially laptops, against breaches that could occur if a device is lost or stolen.
But a distressingly large number of companies have continued to ignore that advice -- some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.
"There really is no excuse for not encrypting laptops," said Avivah Litan, an analyst at Gartner.
Enterprises that buy in volume can get encryption products for as little as $15 per laptop, so cost shouldn't be an issue, Litan said.
Similarly, while it's true that full disk encryption can affect laptop performance, the trade-off is that you get better security, and that's fully worth it, she said.
"Enterprises that are not putting in laptop encryption are just being lazy," said Litan.
If nothing else, the growing cost of data breaches should be pushing companies to adopt portable encryption more aggressively, say analysts. A Ponemon Group report released last month states that companies that experience data breaches these days can end up paying close to $214 per compromised record on average.
"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst at Spire Security.
The only legitimate reason that companies might have for not encrypting all of their laptops is that encryption involves management overhead. But even so, instead of complaining about overhead, enterprises should be doing more to push vendors for products that are easier to manage, he said.
"I am not a fan of regulations in general, so I'm not ready for a [government] mandate" requiring laptop encryption, Lindstrom said. "However, some sort of penalty on loss might be in order."
Darren Shimkus, a senior vice president at security vendor Credant, said that it's surprising that even companies the size of BP don't encrypt their laptops as a matter of course these days. "It simply is not happening in the manner you would expect," he said.
That lack of adoption is a problem not just in the private sector, but also within the federal government.
In 2006, when an employee at the U.S. Department of Veterans Affairs lost a laptop and several storage disks containing personal data on more than 26 million veterans, the Office of Management and Budget issued a memorandum requiring all agencies to encrypt sensitive data (download PDF) on portable devices.
Today, nearly to five years later, several federal agencies are still not even close to compliance, according to an OMB report to Congress (download PDF) released earlier this month.
While several agencies have reported 100% compliance, and many others are well on their way to achieving full compliance, the governmentwide compliance average is still just a little more than 54%.
Numerous products are currently available that allow organizations to encrypt data at the disk level and at the file level fairly easily and cost-effectively. Yet many enterprises appear to be holding back because of outdated perceptions relating to the deployment and management costs associated with encryption, Shimkus said.
Concerns about key management for instance, continue to be a big issue for companies even though some vendors have made considerable progress in this area over the past several years, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Snowden advocates at SXSW for improved data security
- Joomla receives patches for zero-day SQL injection vulnerability, other flaws
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
Read more about Data Security in Computerworld's Data Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts