Failure to encrypt portable devices inexcusable, say analysts
Breaches such as the one involving BP oil spill claimants show why encrypting data on portable devices is a no-brainer
Computerworld - The continuing failure of many enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a potential data compromise involving a lost laptop.
The computer contained unencrypted personal data such as names, Social Security numbers and dates of birth belonging to about 13,000 people who had submitted claims with the company related last year's Gulf of Mexico oil spill.
According to BP, an employee lost the laptop while on routine business travel.
The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks and other mobile devices account for a substantial portion of breaches these days.
For example, statistics maintained by the Privacy Rights Clearinghouse indicate that about 30 of the 144 data breaches announced so far this year involved portable devices.
Security analysts have long pushed the use of encryption as one of the most effective ways of protecting data on portable devices, especially laptops, against breaches that could occur if a device is lost or stolen.
But a distressingly large number of companies have continued to ignore that advice -- some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.
"There really is no excuse for not encrypting laptops," said Avivah Litan, an analyst at Gartner.
Enterprises that buy in volume can get encryption products for as little as $15 per laptop, so cost shouldn't be an issue, Litan said.
Similarly, while it's true that full disk encryption can affect laptop performance, the trade-off is that you get better security, and that's fully worth it, she said.
"Enterprises that are not putting in laptop encryption are just being lazy," said Litan.
If nothing else, the growing cost of data breaches should be pushing companies to adopt portable encryption more aggressively, say analysts. A Ponemon Group report released last month states that companies that experience data breaches these days can end up paying close to $214 per compromised record on average.
"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst at Spire Security.
The only legitimate reason that companies might have for not encrypting all of their laptops is that encryption involves management overhead. But even so, instead of complaining about overhead, enterprises should be doing more to push vendors for products that are easier to manage, he said.
"I am not a fan of regulations in general, so I'm not ready for a [government] mandate" requiring laptop encryption, Lindstrom said. "However, some sort of penalty on loss might be in order."
Darren Shimkus, a senior vice president at security vendor Credant, said that it's surprising that even companies the size of BP don't encrypt their laptops as a matter of course these days. "It simply is not happening in the manner you would expect," he said.
That lack of adoption is a problem not just in the private sector, but also within the federal government.
In 2006, when an employee at the U.S. Department of Veterans Affairs lost a laptop and several storage disks containing personal data on more than 26 million veterans, the Office of Management and Budget issued a memorandum requiring all agencies to encrypt sensitive data (download PDF) on portable devices.
Today, nearly to five years later, several federal agencies are still not even close to compliance, according to an OMB report to Congress (download PDF) released earlier this month.
While several agencies have reported 100% compliance, and many others are well on their way to achieving full compliance, the governmentwide compliance average is still just a little more than 54%.
Numerous products are currently available that allow organizations to encrypt data at the disk level and at the file level fairly easily and cost-effectively. Yet many enterprises appear to be holding back because of outdated perceptions relating to the deployment and management costs associated with encryption, Shimkus said.
Concerns about key management for instance, continue to be a big issue for companies even though some vendors have made considerable progress in this area over the past several years, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- UPS now the third company in a week to disclose data breach
- Healthcare organizations still too lax on security
- Why would Chinese hackers want US hospital patient data?
- About 4.5M face risk of ID theft after hospital network hacked
- Supervalu breach shows why move to smartcards is long overdue
- Grocery stores in multiple states hit by data breach
- Update: Payment cards with chips aren't perfect, so encrypt everything, experts say
- U.S. agencies halt background checks by contractor after cyberattack
- Five unanswered questions about massive Russian hacker database
- Massive Russian hack has researchers scratching their heads
Read more about Data Security in Computerworld's Data Security Topic Center.
- Getting Real About Management and "Big Data" It's an exciting yet daunting time to be a security professional. Security threats are becoming more aggressive and voracious. Governments and industry bodies...
- The Big Data Security Analytics Era Is Here Security management must be based upon continuous monitoring and data analysis for situational awareness and data-driven security decisions. Organizations have entered the era...
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- How JPMorgan Chase Adopted DMARC to Stop Cyberattacks and Protect their Brand When JP Morgan Chase decided to take action against phishing attacks, the problem turned out to be much bigger than anticipated. Learn how,...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!