Lock up your data

Lost information is no laughing matter for business. Encryption is a solution. So why aren’t more companies using it to the full?

Confidential data left on a train or in a taxi is now such a commonplace of modern life that it’s become a staple for stand-up comedians. But it’s no joke for organisations whose poor data protection practices leave them with heavy fines or a shredded reputation.

A representative for the Information Commissioner’s Office, which is responsible for prosecuting firms that are careless with data, says: “The ICO recommends that portable and mobile devices . . . should be protected using approved encryption software which is designed to guard against the compromise of information.” But is it that simple?

According to Dr Tim Watson, head of De Montfort University’s computer technology department, the use of endpoint encryption in organisations is patchy, even within organisations. “The people involved in mergers and acquisitions might be good at security but the secretarial pool is probably applying it with unequal levels of rigour. “A survey of information security system auditors, carried out by the Ponemon Institute on behalf of Thales, found that firms that take security seriously are keen adopters of encryption. Yet more than half of auditors believe firms do it purely to achieve compliance.

Larry Ponemon, the institute’s chairman, feels this attitude is even more widespread: “The use of crypto technologies is primarily designed to get an organisation to a high state of compliance, rather than a high state of security readiness,” he says. “Achieving compliance doesn’t necessarily mean that you have the best security infrastructure.”

Encryption isn’t just useful at endpoints, however: it has benefits across the computing infrastructure, from securing the transmission of point-of-sale data to storage and databases. But continual data leaks have given endpoint encryption certain urgency.

There is a lingering belief that encryption is difficult to use or has too great an impact on system performance. Neither is necessarily true

So why aren’t businesses using it more? Ponemon believes there is a lingering belief that encryption is difficult to use or has too great an impact on system performance, but neither is necessarily true.

“There is no need for great impact on complexity and efficiency,” says Dr Bob Askwith, head of Liverpool John Moores University’s networked systems and security department. “SSL in web browsers is a good example – we see our browsers running quickly and without much effect on user experience.”

In many ways, it is really users who are the problem. “There is a lot of resistance by end users,” says Ponemon, “and we’re starting to see more and more companies considering hardware-based encryption as an alternative because you can’t disable or disengage it.”

But enforcing the use of encryption and building it into businesses’ processes can be difficult. “Misunderstanding encryption as a product, and security as a state, is a common problem,” says Askwith. “Encryption needs to be engineered into a secure business process and managed accordingly.”

Fortunately, the use of encryption has been made easier by its inclusion in the most popular operating systems. Apple’s OS X allows for automatic encryption of home directories and Windows 7 goes further: its BitLocker technology encrypts the whole drive as well as external devices such as USB sticks.

There are still challenges, however, especially around key management, “not because there aren’t tools to make that process easier”, says Ponemon, “but it still requires some people to be thoughtful. And we still see companies making mistakes around key management – not just having security blunders but losing data.”

There can also be technical issues. “There are ramifications in terms of disaster recovery, damaged hard disks and so on,” says Watson. “When staff change, just keeping track and managing the continued access to the data is a challenge. So there are business risks associated with encryption as well as business advantages. It’s a cost, like any aspect of security.”

But justifying that cost shouldn’t be too hard, even if the return on investment isn’t immediately obvious: encryption is part of your risk insurance and it could even lower your premiums.

“As part of your risk analysis, you should be looking at what the change will be if you introduce encryption,” says Watson. “And the return on investment issues should lead your encryption strategy.”

Tags: , ,