Only 27% of Organizations Use Encryption

An anonymous reader writes "According to a Check Point survey of 224 IT and security administrators, over 40% of businesses in the last year have more remote users connecting to the corporate network from home or when traveling, compared to 2008. The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users. Yet, regardless of the growth in remote users, just 27% of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9% of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception."

Dont blame IT

[jhoegl]

We would do it if we werent undermanned, underfunded, and had competent users.

Support for things is already maxing many people out, now you want to add this?

Please.

Remote Desktop

I telecommute and all my work is stored on the server I remote into.
As I have no work stored locally there is no encryption (aside from the VPN into the server).

Re:Remote Desktop

[fuzzyfuzzyfungus]

I have to wonder how many of the outfits in TFA's little scare story fall into your category.

Remote access to network resources via a Citrix or other terminal server setup isn't exactly uncommon and means that no data of any interest actually end up on the user's HDD. They could still have a keylogger or screen-grabber lurking; but full disk encryption wouldn't save you from that in any case.

Frankly, unless the remote users are all on fully-managed-owned-and-issued-by-IT laptops, which are the only ones where full disk crypto is really going to be practical on any scale, a terminal server is overwhelmingly easier to set up and run. "Go to our website, click here, receive desktop" is a far simpler instruction than "Establish a VPN connection, now connect to our fileserver to access your documents, now configure your email client, now do all the other little things that would happen automagically if you were on a machine we had set up. Oh, you'll probably be asked for your credentials 10 times or so, because your machine isn't bound to our domain."

Business As Usual

Yeah, blame the users, that will always make up for the fact that they depend on you to take care of these things for them.

Re:Business As Usual

Security is not a product, I can give you the best security tools, but if you are too lazy to learn how to use them and the to use them with the needed competence(and paranoia) it will not work. There is no way to transform security in a magic button which an incompetent user just clicks and gets it.

Secutrity requires effort to check the keys, keep them private, accept the extra steps to apply and check it, remember passwords , keys and credentials ecc.ecc.

90% users are plainly and loudly annoyed by common access password expire time and complexity requirements. They are simply not intellectually ready to manage encryption of fixed and removable media.

Re:Business As Usual

[Sir_Lewk]

I can give you the best security tools

Well according to this article, it seems the vast majority of your peers cannot even be irked to do that much. Blaming users for not knowing how to use software they were never given in the first place takes a special kind of jackass.

Also, password expire times are idiotic that probably do more to reduce password security than increase it.

lose the keys, lose the data ...

There are corporate docs using Office 2003 DRM where I work. I'm literally the only person in a multi-national company that can read the docs because I'm the only one who applied the hotfix for the expired certificate.

IT can't or won't do it through the domain.

Does anyone beiieve this number?

[upuv]

I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.

Exactly where does this BS stat come from again?

Re:Does anyone beiieve this number?

[commport1]

I'm with you. In the consulting space, and the MAJORITY of companies don't have anything coming close to 'sensitive corporate data' to fall into the wrong hands that would necessitate encryption. To tell you the truth, the majority couldn't give two hoots about who reads their monthly sales figures, HR reviews, etc etc. Anyone who REALLY wants to is going to read them anyway, right? The MAJORITY of companies could care less. Eg. a Club. They sell alcohol and have a couple of restaurants, etc. Exactly the same as the Club down the street. And there is NO competitive advantage for the 'club down the street' to gain by reading the competitors reporting. Not a big deal.

Re:Does anyone beiieve this number?

[AliasMarlowe]

I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.

Where I work (company has over 10^5 employees worldwide), whole disk encryption is standard on all laptops. It is uncommon on desktops, however, and not compulsory on removable devices. All remote access is always encrypted, and requires the correct encryption package and authorizations. A similar situation existed at the place I worked before (about 3.10^4 employees worldwide).

Due to the support and policy infrastructure needed, I suspect encryption is much commoner in large organizations than small ones. How the statistics on use of encryption (TFA says 27%) are formed is another matter.

Re:Does anyone beiieve this number?

[Mr.+Freeman]

Sure, the usual thief doesn't give a shit about the data. What you need to worry about are the thieves that are after your laptop because of the data on it. They'll certainly care about it. I lock my door at night because I'm concerned about the small number of people that would break in with the intention of harming me, not the 99.9% of people that wouldn't do anything even if the door was wide open.

The fact that most of the laptops being stolen are falling into the hands of idiots is no excuse for failing to protect them from the real threats.

Re:Does anyone beiieve this number?

[Kamokazi]

I would mod you higher if possible.

This is exactly the case. Most places don't need encryption. I read a cleverly worded quote once that said something to the effect that security should serve business goals, and not just be there for security's sake. This is one of those cases. Encryption is a pain in the ass and not usually necessary.

The only data virtually every company needs to protect is their employees' personal info, generally in HR. SSN's, any Medical info from insurance claims, etc.

Re:Does anyone beiieve this number?

[bschorr]

What about bank account info? Account numbers and balances? Saved passwords to financial sites or corporate resources? What about customer data? Credit card numbers? We see data in customer sites every day that shouldn't be exposed outside the organization. Granted it's not always found on portable devices but sometimes it is.

Whole disk encryption is really not difficult to do and it's a heck of a lot easier than having to apologize to all of your customers because you lost an unencrypted laptop with their information on it.

Encryption drawbacks

[WetCat]

Using encryption has its drawbacks:
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
* skills of your systems management must be higher

Re:Encryption drawbacks

[grahamlee]

Taking those point by point (and staying on topic by discussing hard drive encryption, the subject of TFA):

* you must provide a meaningful key management

Depending on the size of the organisation and the purposes for using encryption, key management may not be necessary, though you still need a capable and reliable lost-passphrase-recovery helpdesk which is going to cost.

* you lose speed of your machines for number crunching

I think you need to review just how much time you think computers spend reading and preparing data from the hard drive. If you're in the middle of a number-crunching job, it's pretty much negligible. And besides that, most business laptop users (the target users of full-disk encryption) are trying to read e-mail and write Powerpoint slides, they aren't trying to simulate protein folding.

* you can easily lose data in the event of hardware corruption

* access to data is a bit harder even for legitimate purposes

Yes, that's the whole point. It's usually only a bit harder (you have to authenticate before the operating system will boot) but in return for that, the confidentiality of your data is protected. Security is about risk management and if the risk of publicising your company's secrets is more significant than the risk of users losing time by forgetting their passwords, then the trade-off is worth making.

* many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption

Firstly, the kind of encryption they're talking about in the article, as implemented by BitLocker on Windows and third-party products on many operating systems, is transparent to operating system processes.

skills of your systems management must be higher

Oh noes! I pay my systems managers to manage my systems but don't want to pay people who know what they're doing!

Re:Encryption drawbacks

[KiloByte]

* you lose speed of your machines for number crunching

I think you need to review just how much time you think computers spend reading and preparing data from the hard drive. If you're in the middle of a number-crunching job, it's pretty much negligible. And besides that, most business laptop users (the target users of full-disk encryption) are trying to read e-mail and write Powerpoint slides, they aren't trying to simulate protein folding.

For typical modern hard disk and CPU speeds, it takes about a single whole core to encrypt/decrypt the data at full bandwidth. That's definitely not a negligible loss. Business users may be not trying to run make -j like we do, but they'll still suffer significantly decreased battery life.

Re:Encryption drawbacks

I ask, what are the tradeoffs though? Some of these factors can be mitigated. If you use Vista or Windows 7, Bitlocker recovery keys can be plopped into Active Directory.

The factors for not having encryption are worse, and this is not factoring PCI/DSS compliance, Sarbanes-Oxley, HIPAA, CALEA, and other laws:

* The legal liability of having records that were likely tampered with, so if there is a tax audit, there is no proof of anything that can stand in a tax court. The IRS or tax body may find that the lack of security constitutes malfeasance and assess immense fines.

* Shareholders will band together and make a class action suit at a drop of a hat. If a company shows that it knew about the risk, but didn't deploy encryption, there will be flocks of law firms in a feeding frenzy looking for anything which could be construed as gross misconduct or failing to employ due diligence.

* Law enforcement who is tired of chasing ID theft cases will be looking at the company to see if any criminal laws about data retention got broken. (This is mainly the EU.)

* You can do a lot with paying ad guys for PR, but it will cost a lot more to patch up damaged reputation than having meaningful security in the first place.

* The fees a company pays to have data recovery consultants will far, far outweigh the costs of having a security infrastructure. Yes, I have heard many bosses say, "just call Geek Squad", but for an enterprise-level meltdown, one will be looking at a huge tab, especially if business production systems are down.

* In some countries, having a rival company or nation know who is on a business's payroll may put lives at stake, especially if someone is found to be working for an unpopular company in an unstable country.

Re:Encryption drawbacks

[broken_chaos]

From my experience playing with dm-crypt under Linux (on a greater-than three year old laptop, nonetheless), the speed and battery impact is surprisingly negligible for anything that doesn't constantly access the disk. Even with constant disk access, it was often less than a 'full core' of CPU utilisation. The only circumstance I can see full disk encryption, even done entirely in software, being a significant drain on performance is with a single core system or an extremely fast hard drive setup. A number of business-oriented laptops come with dedicated hardware disk encryption these days, such as some of the Lenovo offerings.

Of course, I did tweak the system I used to a fairly significant degree -- for example, most compilation (it was running Gentoo) was done fully in RAM, thanks to tmpfs, as well as using some other laptop-mode tweaks that reduced frequency of writes. It wasn't even that I needed the data on the disk encrypted... I just did it because I could, with few downsides and the upside being some more experience with that sort of security setup (which has come in handy since).

Re:Encryption drawbacks

[bertok]

Using encryption has its drawbacks:
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
* skills of your systems management must be higher

I know you probably mean well, but every one of those statements is basically false.

- Active Directory + Bitlocker OR AD + Encrypting File System (EFS) both do automatic key management, key escrow, etc...
- Bitlocker has no performance impact, it uses the TPM chip. Also, most CPUs are MUCH faster at encryption than disks are at reading or writing data, so it's not a bottleneck even for software-only systems.
- hardware corruption causes data loss anyway, encryption just ensures that you only ever get valid data. In that respect, it's a little like ZFS -- encryption also provides integrity, as well as security.
- Access to data on encrypted volumes is NOT harder. It's usually transparent. If you have proper backup procedures in place, you need never access data in non-standard ways. Speaking of which, your backups should be encrypted too!
- AD works well with encryption, and has its own built in. It's already reasonably secure for most applications, and doesn't really need further encryption. The only AD related protocol that had issues with ipsec is DNS, but Windows 7 and 2008 R2 now support that as well.
- If you're already deploying Windows Vista or 7 SOEs, adding in Bitlocker trivial, it's basically a checkbox. Deploying ipsec is admittedly a little harder, but it's not exactly rocket science.

I've implemented extensive encryption before, and it wasn't hard, and the users never noticed. From what I've seen, the lack of encryption is not caused by technical issues, but laziness and politics.

Security is one of those things that's not a problem day to day, just like backups. The users don't notice, and nobody complains to the managers about it, so it must not be a problem, right?

You only need security on those rare occasions when there's a hack, or a laptop gets stolen, or some intern sells 10 petabytes of old backup tapes full of customer data on eBay for $35. Of course, when those things happen, it's already too late to implement security. The breach has already occurred. There's no going back in time to tick checkboxes.

In case you're wondering just how common data breaches are, check out this list of the publicly known ones:

http://www.privacyrights.org/ar/ChronDataBreaches.htm

If that doesn't scare you, think about how many more there are that the public didn't find out about. Chances are good that your personal data has been leaked to God-knows-who, probably several times, because of lazy IT admins and inept managers.

Re:Encryption drawbacks

[lukas84]

Bitlocker has no performance impact, it uses the TPM chip.

Wrong. While Bitlocker utilizes the TPM to ensure a secure boot and automatic unlocking (if so desired), the TPM chip is NOT used to handle the actual encryption/decryption.

BitLocker in Windows 7 will support the new Core i3/i5 AES extensions for faster encryption, though.

As a road warrior I should be using encryption...

[hwyhobo]

As a road warrior I should be using encryption, right? I would be a perfect candidate for it? And yet there is no way I will encrypt my laptop when I travel. The risk of losing access to the data when something goes wrong is far too dangerous to risk it. I have had problems on the road already, yet I have always managed to recover my data either from my laptop or from backups, but what happens when the decryption mechanism or the OS crashes? Carry another laptop? Carry bootable USB-based decryption tools? Sorry, too many variables, too much potential for trouble.

It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

(1) As long as it is unencrypted, you can still recover it relatively easily.

More then I expected.

[Wizarth]

That is a larger percentage then I expected. I wonder if the statistics were collected by asking people if they used it, and the percentages were more the amount of people who knew they should be.

Re:As a road warrior I should be using encryption.

[motherjoe]

So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)
 

That's another problem altogether

[hwyhobo]

So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)

That's another problem altogether - that kind of information should never be carried on one's laptop, period. It should only be accessed through a secure tunnel, and it should reside at HQ. There it should be encrypted.

Re:As a road warrior I should be using encryption.

[Jeian]

It depends on your job. If you're, say, a marketing consultant, encryption probably isn't all that important. If you work for a credit card processing company (I previously worked in the IT department for one) you absolutely should be using encryption.

that's because

[rastoboy29]

we geeks haven't made it easier to use.

Re:As a road warrior I should be using encryption.

[Orlando]

It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

I would go even further - What is the mathematical probability of someone stealing my [laptop] AND be interested enough in the data on the disk to bother trying to get access to it.

Even without encryption, getting access to the data on a laptop which uses OS password authentication requires some time and knowledge. I would argue that most people who steal laptops would reinstall as soon as they see a login screen. In other words, the hardware is more valuable to them than the data.

Be sure, I'm not saying the risk is zero, but it's pretty low.

Orlando

Re:As a road warrior I should be using encryption.

[jimicus]

100% Agree. The simple fact is if I encrypt it here I can't un-encrypt it there. Translation. My hard disk uses version 1.5.3.6.3.222.43..56666.333 of software BLOTZO.supersafe.org and nothing else I own does. My HD goes cactus I'm screwed.

I simply can't trust that I can recover from a failure. Even if I carry the magic secret key to the encryption.

It'll cost "me" more to recover than to have stolen.

P.S. I will go down on assault charges the next time some moron un-plugs my usb drive without safely ejecting it.

Which is why the correct response to "Oh dear my OS has failed and I now can't recover any of the encrypted data that was on the hard disk" is NOT "I'll have to crack out the bootable USB rescue disk that has never been properly tested and cannot possibly work in all circumstances".

The correct response is "Oh well, that's what the backup is there for".

(How easy it is to enforce your users not storing data on their laptops - or if they must do so guaranteeing they have a working backup facility in place - is another issue altogether).

Disk encryption can be very useful sometimes

[vadim_t]

There's one use for encryption people don't generally discuss: tech service.

I've been running a home server for a long time. Such systems over time accumulate years worth of mail, which will contain private data, website passwords, and so on. I personally feel uncomfortable with sending a disk containing years worth of data to a tech support department when I want to say, get it replaced under warranty. There have been a few stories about underpaid techs looking for music and porn on customers' hard drives. And if the disk is broken I can hardly erase it properly.

So my solution:

For servers, encrypt the disk, and keep the key in an USB drive always plugged into the server. If a disk breaks, I remove the disk, and send it for warranty replacement without worrying about the data.

For laptops, I use Ubuntu's disk encryption. It's even better there as laptops usually don't have RAID, and may break for multiple reasons that I can't personally fix.

A lot of organisations just are not that important

[frinkacheese]

If you run a cleaning company or you're a group of plumbers or perhaps you have a fairly large landscape gardening company then your data just is not that important or a target. So this survey is really quite useless, so what is Agnes Cleaners do not encrypt their thumb drives with their cleaning rota on it? Nobody cares. So whilst all organisations should encrypt just because it is sensible, not all organisations really need to bother because the likelihood of anything happening to their data is so small that it's just not worth the effort of sorting out the idiots who call up the part-time IT admin guy because they have forgotten their encryption key (again).

Use systems that users dont need to think about...

[jonwil]

There do exist packages that can handle the encryption of at least fixed disks without the user needing to do anything more than the usual login. BitLocker for one (and BitLocker can plug into Active Directory easily)

With the right software, it is possible to protect the fixed disks of all PCs in the enterprise (including laptops that may only connect to the network through a VPN or may be used in places where there is no network access at all such as airplanes) and the only thing the users have to do is to log in just like they normally do. Mobile devices like Blackberries and Windows Mobile devices also have options for encryption that IT can enable. Even email can be encrypted without the users doing anything special using modern versions of Exchange (at least from what I read with Google)

Re:As a road warrior I should be using encryption.

I also use a laptop often. However, I use TrueCrypt or BitLocker on Windows, and PGP WDE on my Mac. Why? Because if my laptop was stolen, I'd rather have it be "just" a hardware theft that I can get a police report, file a claim on my insurance, and replace my hardware. Without encryption, I would have not just a hardware theft, but a possible theft of:

* License keys to the OS and apps. A volume license key for a popular app is a boon for pirates.

* Personal Documents on the hard disk which can be used for ID theft, or used in combination with burglars to make finely targeted violent crime.

* Work documents. You would be surprised who has extremely company confidential material on personal machines because they need it for a remote presentation to a client. It could be something as simple as a roadmap of unreleased products that a prospective customer wants, but in the hands of competition, it would mean a major competitive loss.

* Passwords stored in a password manager, either the Web browser or another utility. I use different passwords for every Web site I go to, so if one site doesn't get compromised, it won't mean anything else does.

* Cached files. You can glean a lot of information even from deleted files about someone, the people they associate with, their job, and such.

* Identity. How many people put their Quicken files on a protected disk image or TrueCrypt partition, and make sure to unmount it when done balancing the checkbook?

* VPN settings. Even if someone doesn't know my VPN password, they will have account information, IP, and port number, and from this, they could try at the very minimum a brute force attack which either will work, or will have the account get denied. This would look very bad as an employee.

* Identity in another sense. A criminal can take a laptop and then masquerade as another individual to give the police someone to target and arrest.

On the road, I also take measures to contain data loss. I have a custom U3 USB flash drive that has a BartPE image on the CD part. I then have another USB flash drive with two TrueCrypt volumes on it. The first holds an OS image that I made before going on the trip. The second TC volume holds backup copies of my documents. Finally, I use a cloud computing backup service (using a keyfile so the documents leave my machine encrypted), so I am assured of fairly recent backups automatically. For maximum security, I keep a smart card on my keyring which can be used with PGP or TrueCrypt to ensure that if I have the smart card with me, no attacker is going to be able to mount those volumes.

USB flash drives are small, easily encrypted if you use known good software like TrueCrypt, Apple's Disk Image utility, LUKS, or EncFS, and easy to put in some sort of case (even a Ziplock bag) so they don't get lost in a laptop case.

Re:As a road warrior I should be using encryption.

[aclarke]

If you have sensitive customer data on your computer, by law you may be required to notify those customers if the data is lost. Or, you may decide that morally it is the right thing to do. Therefore, you also have to balance the potential bad press your company's announcement will generate based on you losing your laptop, whether or not you know that the people who stole it are going to access the data.

Risk management is more than just the likelihood of your laptop being stolen and your data being accessed by criminals. It's about the significance of each risk as well. Given that for many people, having a laptop stolen and having to disclose that fact is a huge negative, having encryption can mitigate or eliminate that risk.

Re:As a road warrior I should be using encryption.

[Radtoo]

but what happens when the decryption mechanism or the OS crashes? [...]

It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

(1) As long as it is unencrypted, you can still recover it relatively easily.

Well, I'm not sure what encryption solution you might have tried. I for one have been using first TrueCrypt and then LUKS on a laptop. It traveled far and its hard disk drive already had to be replaced twice. There never were any particular pains with encryption.

First and most important of all, backups and encryption do not interfere. So you obviously DO backup such a laptop that may get stolen, lost, or break completely. Certainly, if you use encryption, you want to have the software needed to decrypt an encrypted partition it on your backup or a live DVD, but that's nothing that's hard to get.

Even filewise recovery and forensics is possible on an encrypted partition, too - as long as you have the master encryption header (or similar) backed up, there's little chance for additional problems introduced by having encryption in case of a recovery.

While everyone is arguing over drive encryption...

[barzok]

thousands of businesses are using plain FTP and email to throw unencrypted files around to & from other companies daily.

Of those 27%

[TejWC]

I wonder what percent of them wrote their password on a post-it note attached to their laptop.

We use it, and it sucks

[onyx00]

I work at a Fortune 100 company and we recently (1 year ago) deployed disk encryption to all laptops. It sucks honestly. You can't do image backups anymore, not to mention backups are questionable because you don't always know how the backup is being done (low level copy, file copy, etc.). Furthermore, it SLOWS compiles, etc. way way down. When you are hitting the disk a ton to compile, the encryption takes a huge toll. And finally, if something does wrong on the disk, well your data it at the hands of an IT guy they hired last week. Even worse, they won't give IT-contractors the keys to fix encryption issues, so only a limited staff can deal with disk encryption issues encountered.