Failure to encrypt portable devices inexcusable, say analysts

The continuing failure by most enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a data compromise involving a lost laptop.

The continuing failure by most enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a data compromise involving a lost laptop .

The computer contained unencrypted personal data such as names, Social Security numbers and dates of birth belonging to about 13,000 individuals who had submitted claims with the company over last year's disastrous oil spill.

According to BP, an employee lost the laptop while on routine business travel.

The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks, and other mobile devices account for a substantial portion of breaches these days.

According to statistics maintained by the Privacy Rights Clearinghouse , about 30 of the 144 data breaches announced so far this year, for instance, involved portable devices.

Security analysts have long pushed the use of encryption as one of the most effective ways of protecting data on portable devices, especially laptops, against these sorts of breaches.

Even so, a distressingly large number of companies have continued to ignore the advice -- some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.

"There really is no excuse for not encrypting laptops," said Avivah Litan, an analyst with Gartner.

Enterprises that buy in volume can get encryption products for as little as $15 per laptop, so cost shouldn't be an issue, Litan said.

Similarly, while full disk encryption can have an impact on laptop performance, the trade-off in terms of better security is fully worth it, Litan said.

"Enterprises that are not putting in laptop encryption are just being lazy," she said.

The growing cost of data breaches in particular should be pushing companies to adopt portable encryption more aggressively, say analysts. The Ponemon Group released a report last month showing how companies that experience data breaches these days can end up paying close to $214 per compromised record on average .

"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst with Spire Security.

The only legitimate barrier that companies can claim is the management overhead associated with laptop overhead. And even here, enterprises should be doing more in pushing their vendors for more easily manageable products, he said.

"I am not a fan of regulations in general so I am not ready for a mandate," from government requiring laptop encryption, he said. "However, some sort of penalty on loss might be in order."

Darren Shimkus, senior vice president of security vendor Credant said that it's surprising that even companies the size of BP don't encrypt their laptops as a matter of course these days. "It simply is not happening in the manner you would expect," he said.

That lack of adoption is a problem not just in the private sector, but also within the federal government.

In 2006, when an employee at the U.S. Department of Veterans Affairs lost a laptop and several storage disks containing personal data on over 26 million veterans, the Office of Management (OMB) issued a memorandum requiring all agencies to encrypt sensitive data (PDF document) on portable devices.

Close to five years later, several federal agencies are not even close to compliance, according to an OMB report to Congress released earlier this month.

While several agencies have reported 100% compliance, and many others are well on their way to achieving full compliance, the government-wide average is still just more than 54%.

Numerous products are currently available that allow companies to encrypt data at both the disk level and at the file level, fairly easily and cost-effectively. Yet many appear to be holding back because of outdated perceptions relating to the deployment and management costs associated with encryption, Shimkus said.

Concerns about key management for instance, continue to be a big issue for companies even though considerable progress in this area has been made by some vendors over the past several years, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about data security in Computerworld's Data Security Topic Center.

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)