Comment: The state of encryption

Absolute Software's Dave Everitt says encryption for mobile devices is not enough to prevent data leaks
Absolute Software's Dave Everitt says encryption for mobile devices is not enough to prevent data leaks

There was a time, not too long ago, when data was secured primarily due to the physical security of the building where it was located. Now, with the ubiquitous use of laptops and handheld devices, a secure physical environment, while requisite, is no longer sufficient.

IT departments are facing a proverbial ‘perfect storm’ when it comes to data security. Departments are dealing with reduced operating budgets, so they have to do more with less. Conversely, the mobility of the workforce is ever-growing, and the general public has become acutely aware of the security of their personal data as the instances of data security lapses continue to increase.

In late November of last year, the Information Commissioner's Office (ICO) issued its first fines for serious breaches of data protection principles. Hertfordshire County Council and employment services company, A4e, were on the unfortunate end of £100,000 and £60,000 fines, respectively. In the case of Hertfordshire County Council, faxing highly sensitive information about children is totally unforgiveable, and the £100,000 fine could have been much higher. The A4e data breach was also preventable, and it’s hard to believe that the laptop in question lacked even basic security measures, such as encryption.

However, encryption alone is not enough, and with the ICO seemingly giving this form of security precedence in its warnings, organisations must wake up to the fact that it is not the sole answer. Perhaps then will we see a halt to such costly security screw-ups.

The problem with encryption

Encryption has, for some time, been the de facto standard in securing data. Although it is an essential part of a layered approach to data security, encryption alone is not enough. It does not enable IT to track the data or manage the device it resides on, and encryption does not provide any details as to what type of information was stored on the missing or stolen device.

Further evidence that encryption is insufficient as a stand-alone method for corporate security comes from the Ponemon Institute. According to a report published in March 2010, there is no guarantee that encryption is being properly deployed in the workplace. Surveying non-IT business managers in the UK, it was found that 53% of them had disengaged encryption technology on their business hardware. This was despite the fact that 61% of laptop thefts in the UK have resulted in a data breach.

What this means is that while encryption is important, it does not protect organisations from financial and reputational damage.

A layered approach

Put simply, even if your business has encryption technology, your employees can’t be relied upon to use it. Despite frequent and high-profile cases of data theft and loss, such as the aforementioned examples, it seems business managers still struggle to see why they need to take responsibility. This attitude should improve, however, now that the Information Commissioner has demonstrated it is prepared to hit organisations where it hurts – in their pocket.

Companies must look at everything from using locks to prevent opportunist thieves, to installing technology to remotely delete data from the mobile devices if they are taken.

Other layers should also include traditional desktop and gateway anti-virus and, particularly, anti-spam defences. Phishing attacks are a common way to steal data, and if a user volunteers the information, then all the encryption in the world won’t help.

This is also where laptop tracking is a huge advantage. The second a laptop is reported stolen the data can be remotely wiped. This means nobody will be able to access any sensitive data on that laptop. Not only can data be deleted, but the original cases can be tracked and returned to the rightful owner.

Of course, it does help when a decent level of encryption is used, but there are still high risks. If the data is sensitive enough, it’s far better to wipe the laptop and be done with it, whilst also tracking and recovering the stolen item.

As the UK’s economy continues to change, businesses are likely to function with greater mobility. The increasing trend of staff working remotely, full-time, suggests the office as we know it is going out of style. But with a disparate workforce comes higher risk. Companies absolutely need to get on top of this mobile data risk and ensure there are clear and effective strategies in place to mitigate any data loss outside their four walls.

Dave Everitt is general manager EMEA at Absolute Software where he is responsible for leadership, strategic development and business partner relations pertaining to the company’s business in the region. He has over 25 years of experience in developing business in both hardware and software for the high-technology international computing and communications market.

What’s hot on Infosecurity Magazine?