Stephen Midgley, Absolute Software: The State of Encryption in Europe
February 2010 by tephen Midgley, Absolute Software
The increasingly mobile nature of data has resulted in growing pressures on IT departments. There was a time, not too long ago, when data was secured primarily due to the physical security of the building where it was located. Now, with the ubiquitous use of laptops and handheld devices, a secure physical environment, while requisite, is no longer sufficient.
As we enter a new decade, IT departments are faced with a proverbial “perfect storm” when it comes to securing data. Departments are dealing with reduced operating budgets resulting in them having to do more with less. There is a growing movement from various levels of government to regulate the security of data, such as the recent announcement by the UK Ministry of Justice that the Information Commissioner’s Office (ICO) would have the power to organisations up to £500,000 for serious breaches of data protection principles. The European Council has approved a data breach notification rule for Europe’s telecommunications firms. This amendment to an EU Directive will force telcos to inform customers if they lose their data. The growing enactment of regulatory legislation related to the securing of data will force the hand of corporations to establish necessary processes to ensure the integrity of data. To not do so could result in them being subject to significant negative financial and reputational repercussions if a data breach were to occur. According to the Ponemon Institute, the average cost of a data breach to an organisation in the UK is £1.7 million, while in Germany it is €2.41 million.
Along with reduced operating budgets and growing government legislation, the general public has become acutely aware (and concerned) about the security of their personal data as the instances of lapses in data security continue to increase. In fact, according to the ICO, the number of recorded data breaches in the UK increased by nearly 65% last year over the previous year.
And finally, there is growing mobility of the workforce – from people travelling with their data to people telecommuting from their homes. According to the Ponemon Institute, over 3500 laptops go missing every week in European airports. That’s one laptop every three minutes. While mobility creates business opportunities, it has accelerated the use of corporate owned devices outside of the traditional workplace. Especially as more and more employees work from “home offices”. The result is the creation of an information perimeter outside of the traditional enterprise perimeter.
This perfect storm therefore begs the perfect question for any IT department: How do you secure data that you cannot track?
Encryption has, for some time, been the de facto standard in securing data and is one of the most important security tools in the defense of data. While it is an important part of any approach to data security, encryption alone is not enough. It does not enable IT to track the data and it does not provide any details as to what type of information was stored on the missing or stolen laptop. In fact when an encrypted laptop goes missing, all IT really knows is they have a laptop with potentially damaging information in the public domain with no means of retrieving the data. And, according to the latest research from the Ponemon Institute, there is no guarantee that encryption was set up properly on the device in question. Surveying non-IT business managers in the UK, it was found that 66% of them either wrote down their password on a private document, such as a post-it note or shared it with other individuals in case the password was forgotten.
IT departments, in this mobile environment, require more than encryption to securely track manage and protect their data. What they need is a layered approach to security that enables them to track data on and off the local area network and provide them with various options to access the data in the case a laptop does go missing, instead of being left wondering if the encryption was disabled. In order to be effective, encryption requires organisations and users to take appropriate steps to make sure sensitive and confidential information is protected as much as possible
As shown in research conducted by the Ponemon Institute and sponsored by Absolute Software on The Human Factor in Laptop Encryption, a cultural divide exists between non-IT business managers and IT practitioners when it comes to security. Too often IT is being bypassed, losing control, yet they remain accountable to data security and ensuring performance, integrity, availability and compliance of that data. It was found that a high percentage of employees surveyed in business functions (referred to as business managers) were not taking such precautionary steps as using complex passwords, not sharing passwords, keeping their laptop physically safe when traveling or locking their laptops to their desks to protect sensitive and confidential data. Further, many respondents believe that encrypted solutions make it unnecessary to take other security measures.
In contrast, their colleagues in IT and IT security functions (referred to as IT security practitioners) are diligent in taking all or most precautionary steps to safeguard the sensitive and confidential information on their laptops. They believe encryption is an important security tool, but believe it is critical to follow certain procedures to ensure that data is protected if a laptop is lost or stolen.
The following are some of the most salient findings:
86% of IT security practitioners report that someone in their organisation has had a laptop lost or stolen and 61% report that it resulted in a data breach. Only 45% report that the organisation was able to prove the contents were encrypted.
59% of business managers surveyed strongly agree and agree that encryption stops cyber criminals from stealing data on laptops versus 46% of IT security practitioners who strongly agree or agree.
53% of business managers have disengaged their laptop’s encryption solution and 43% admit this is in violation of their company’s security policy.