Only 27% of Organizations Use Encryption

← Back to Stories (view on slashdot.org)

Only 27% of Organizations Use Encryption

Posted by samzenpus on Wednesday January 13, 2010 @08:31PM from the here's-all-my-data dept.

An anonymous reader writes "According to a Check Point survey of 224 IT and security administrators, over 40% of businesses in the last year have more remote users connecting to the corporate network from home or when traveling, compared to 2008. The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users. Yet, regardless of the growth in remote users, just 27% of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9% of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception."

19 of 175 comments (clear)

Min score:

Reason:

Sort:

Dont blame IT by jhoegl · 2010-01-13 20:33 · Score: 4, Insightful

We would do it if we werent undermanned, underfunded, and had competent users.

Support for things is already maxing many people out, now you want to add this?

Please.
Remote Desktop by Anonymous Coward · 2010-01-13 20:39 · Score: 3, Interesting

I telecommute and all my work is stored on the server I remote into.
As I have no work stored locally there is no encryption (aside from the VPN into the server).
1. Re:Remote Desktop by fuzzyfuzzyfungus · 2010-01-13 23:15 · Score: 5, Informative
  
  I have to wonder how many of the outfits in TFA's little scare story fall into your category.
  
  Remote access to network resources via a Citrix or other terminal server setup isn't exactly uncommon and means that no data of any interest actually end up on the user's HDD. They could still have a keylogger or screen-grabber lurking; but full disk encryption wouldn't save you from that in any case.
  
  Frankly, unless the remote users are all on fully-managed-owned-and-issued-by-IT laptops, which are the only ones where full disk crypto is really going to be practical on any scale, a terminal server is overwhelmingly easier to set up and run. "Go to our website, click here, receive desktop" is a far simpler instruction than "Establish a VPN connection, now connect to our fileserver to access your documents, now configure your email client, now do all the other little things that would happen automagically if you were on a machine we had set up. Oh, you'll probably be asked for your credentials 10 times or so, because your machine isn't bound to our domain."
lose the keys, lose the data ... by Anonymous Coward · 2010-01-13 20:43 · Score: 3, Interesting

There are corporate docs using Office 2003 DRM where I work. I'm literally the only person in a multi-national company that can read the docs because I'm the only one who applied the hotfix for the expired certificate.
IT can't or won't do it through the domain.
Does anyone beiieve this number? by upuv · 2010-01-13 20:43 · Score: 3, Insightful

I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.
Exactly where does this BS stat come from again?
1. Re:Does anyone beiieve this number? by commport1 · 2010-01-13 20:57 · Score: 5, Insightful
  
  I'm with you. In the consulting space, and the MAJORITY of companies don't have anything coming close to 'sensitive corporate data' to fall into the wrong hands that would necessitate encryption. To tell you the truth, the majority couldn't give two hoots about who reads their monthly sales figures, HR reviews, etc etc. Anyone who REALLY wants to is going to read them anyway, right? The MAJORITY of companies could care less. Eg. a Club. They sell alcohol and have a couple of restaurants, etc. Exactly the same as the Club down the street. And there is NO competitive advantage for the 'club down the street' to gain by reading the competitors reporting. Not a big deal.
2. Re:Does anyone beiieve this number? by AliasMarlowe · 2010-01-13 21:03 · Score: 4, Informative
  
  I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.
  Where I work (company has over 10^5 employees worldwide), whole disk encryption is standard on all laptops. It is uncommon on desktops, however, and not compulsory on removable devices. All remote access is always encrypted, and requires the correct encryption package and authorizations. A similar situation existed at the place I worked before (about 3.10^4 employees worldwide).
  
  Due to the support and policy infrastructure needed, I suspect encryption is much commoner in large organizations than small ones. How the statistics on use of encryption (TFA says 27%) are formed is another matter.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Encryption drawbacks by WetCat · 2010-01-13 20:56 · Score: 5, Informative

Using encryption has its drawbacks:
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
* skills of your systems management must be higher
1. Re:Encryption drawbacks by grahamlee · 2010-01-13 21:14 · Score: 3, Insightful
  
  Taking those point by point (and staying on topic by discussing hard drive encryption, the subject of TFA):
  
  * you must provide a meaningful key management
  Depending on the size of the organisation and the purposes for using encryption, key management may not be necessary, though you still need a capable and reliable lost-passphrase-recovery helpdesk which is going to cost.
  
  * you lose speed of your machines for number crunching
  I think you need to review just how much time you think computers spend reading and preparing data from the hard drive. If you're in the middle of a number-crunching job, it's pretty much negligible. And besides that, most business laptop users (the target users of full-disk encryption) are trying to read e-mail and write Powerpoint slides, they aren't trying to simulate protein folding.
  
  * you can easily lose data in the event of hardware corruption
  * access to data is a bit harder even for legitimate purposes
  Yes, that's the whole point. It's usually only a bit harder (you have to authenticate before the operating system will boot) but in return for that, the confidentiality of your data is protected. Security is about risk management and if the risk of publicising your company's secrets is more significant than the risk of users losing time by forgetting their passwords, then the trade-off is worth making.
  
  * many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
  Firstly, the kind of encryption they're talking about in the article, as implemented by BitLocker on Windows and third-party products on many operating systems, is transparent to operating system processes.
  
  skills of your systems management must be higher
  Oh noes! I pay my systems managers to manage my systems but don't want to pay people who know what they're doing!
2. Re:Encryption drawbacks by bertok · 2010-01-13 23:13 · Score: 3, Insightful
  
  Using encryption has its drawbacks:
  * you must provide a meaningful key management
  * you lose speed of your machines for number crunching
  * you can easily lose data in the event of hardware corruption
  * access to data is a bit harder even for legitimate purposes
  * many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
  * skills of your systems management must be higher
  I know you probably mean well, but every one of those statements is basically false.
  - Active Directory + Bitlocker OR AD + Encrypting File System (EFS) both do automatic key management, key escrow, etc...
  - Bitlocker has no performance impact, it uses the TPM chip. Also, most CPUs are MUCH faster at encryption than disks are at reading or writing data, so it's not a bottleneck even for software-only systems.
  - hardware corruption causes data loss anyway, encryption just ensures that you only ever get valid data. In that respect, it's a little like ZFS -- encryption also provides integrity, as well as security.
  - Access to data on encrypted volumes is NOT harder. It's usually transparent. If you have proper backup procedures in place, you need never access data in non-standard ways. Speaking of which, your backups should be encrypted too!
  - AD works well with encryption, and has its own built in. It's already reasonably secure for most applications, and doesn't really need further encryption. The only AD related protocol that had issues with ipsec is DNS, but Windows 7 and 2008 R2 now support that as well.
  - If you're already deploying Windows Vista or 7 SOEs, adding in Bitlocker trivial, it's basically a checkbox. Deploying ipsec is admittedly a little harder, but it's not exactly rocket science.
  I've implemented extensive encryption before, and it wasn't hard, and the users never noticed. From what I've seen, the lack of encryption is not caused by technical issues, but laziness and politics.
  Security is one of those things that's not a problem day to day, just like backups. The users don't notice, and nobody complains to the managers about it, so it must not be a problem, right?
  You only need security on those rare occasions when there's a hack, or a laptop gets stolen, or some intern sells 10 petabytes of old backup tapes full of customer data on eBay for $35. Of course, when those things happen, it's already too late to implement security. The breach has already occurred. There's no going back in time to tick checkboxes.
  In case you're wondering just how common data breaches are, check out this list of the publicly known ones:
  http://www.privacyrights.org/ar/ChronDataBreaches.htm
  If that doesn't scare you, think about how many more there are that the public didn't find out about. Chances are good that your personal data has been leaked to God-knows-who, probably several times, because of lazy IT admins and inept managers.
As a road warrior I should be using encryption... by hwyhobo · 2010-01-13 20:56 · Score: 5, Interesting

As a road warrior I should be using encryption, right? I would be a perfect candidate for it? And yet there is no way I will encrypt my laptop when I travel. The risk of losing access to the data when something goes wrong is far too dangerous to risk it. I have had problems on the road already, yet I have always managed to recover my data either from my laptop or from backups, but what happens when the decryption mechanism or the OS crashes? Carry another laptop? Carry bootable USB-based decryption tools? Sorry, too many variables, too much potential for trouble.
It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.
(1) As long as it is unencrypted, you can still recover it relatively easily.

--
End anonymous moderation and posting on /.
More then I expected. by Wizarth · 2010-01-13 20:59 · Score: 3, Interesting

That is a larger percentage then I expected. I wonder if the statistics were collected by asking people if they used it, and the percentages were more the amount of people who knew they should be.
Re:As a road warrior I should be using encryption. by motherjoe · 2010-01-13 21:03 · Score: 4, Funny

So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)

--
"Beer is proof that God loves us and wants us to be happy - Benjamin Franklin"
That's another problem altogether by hwyhobo · 2010-01-13 21:09 · Score: 4, Insightful

So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)
That's another problem altogether - that kind of information should never be carried on one's laptop, period. It should only be accessed through a secure tunnel, and it should reside at HQ. There it should be encrypted.

--
End anonymous moderation and posting on /.
Disk encryption can be very useful sometimes by vadim_t · 2010-01-13 21:49 · Score: 3, Interesting

There's one use for encryption people don't generally discuss: tech service.
I've been running a home server for a long time. Such systems over time accumulate years worth of mail, which will contain private data, website passwords, and so on. I personally feel uncomfortable with sending a disk containing years worth of data to a tech support department when I want to say, get it replaced under warranty. There have been a few stories about underpaid techs looking for music and porn on customers' hard drives. And if the disk is broken I can hardly erase it properly.
So my solution:
For servers, encrypt the disk, and keep the key in an USB drive always plugged into the server. If a disk breaks, I remove the disk, and send it for warranty replacement without worrying about the data.
For laptops, I use Ubuntu's disk encryption. It's even better there as laptops usually don't have RAID, and may break for multiple reasons that I can't personally fix.
A lot of organisations just are not that important by frinkacheese · 2010-01-13 22:07 · Score: 4, Insightful

If you run a cleaning company or you're a group of plumbers or perhaps you have a fairly large landscape gardening company then your data just is not that important or a target. So this survey is really quite useless, so what is Agnes Cleaners do not encrypt their thumb drives with their cleaning rota on it? Nobody cares. So whilst all organisations should encrypt just because it is sensible, not all organisations really need to bother because the likelihood of anything happening to their data is so small that it's just not worth the effort of sorting out the idiots who call up the part-time IT admin guy because they have forgotten their encryption key (again).
Use systems that users dont need to think about... by jonwil · 2010-01-13 22:21 · Score: 3, Insightful

There do exist packages that can handle the encryption of at least fixed disks without the user needing to do anything more than the usual login. BitLocker for one (and BitLocker can plug into Active Directory easily)
With the right software, it is possible to protect the fixed disks of all PCs in the enterprise (including laptops that may only connect to the network through a VPN or may be used in places where there is no network access at all such as airplanes) and the only thing the users have to do is to log in just like they normally do. Mobile devices like Blackberries and Windows Mobile devices also have options for encryption that IT can enable. Even email can be encrypted without the users doing anything special using modern versions of Exchange (at least from what I read with Google)
Of those 27% by TejWC · 2010-01-14 02:30 · Score: 3, Insightful

I wonder what percent of them wrote their password on a post-it note attached to their laptop.
We use it, and it sucks by onyx00 · 2010-01-14 02:57 · Score: 3, Informative

I work at a Fortune 100 company and we recently (1 year ago) deployed disk encryption to all laptops. It sucks honestly. You can't do image backups anymore, not to mention backups are questionable because you don't always know how the backup is being done (low level copy, file copy, etc.). Furthermore, it SLOWS compiles, etc. way way down. When you are hitting the disk a ton to compile, the encryption takes a huge toll. And finally, if something does wrong on the disk, well your data it at the hands of an IT guy they hired last week. Even worse, they won't give IT-contractors the keys to fix encryption issues, so only a limited staff can deal with disk encryption issues encountered.