Slashdot Mirror
Only 27% of Organizations Use Encryption
An anonymous reader writes "According to a Check Point survey of 224 IT and security administrators, over 40% of businesses in the last year have more remote users connecting to the corporate network from home or when traveling, compared to 2008. The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users. Yet, regardless of the growth in remote users, just 27% of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9% of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception."
We would do it if we werent undermanned, underfunded, and had competent users.
Support for things is already maxing many people out, now you want to add this?
Please.
Using encryption has its drawbacks: .vs. ipsec) doesn't work well with encryption
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller
* skills of your systems management must be higher
As a road warrior I should be using encryption, right? I would be a perfect candidate for it? And yet there is no way I will encrypt my laptop when I travel. The risk of losing access to the data when something goes wrong is far too dangerous to risk it. I have had problems on the road already, yet I have always managed to recover my data either from my laptop or from backups, but what happens when the decryption mechanism or the OS crashes? Carry another laptop? Carry bootable USB-based decryption tools? Sorry, too many variables, too much potential for trouble.
It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.
(1) As long as it is unencrypted, you can still recover it relatively easily.
End anonymous moderation and posting on
I'm with you. In the consulting space, and the MAJORITY of companies don't have anything coming close to 'sensitive corporate data' to fall into the wrong hands that would necessitate encryption. To tell you the truth, the majority couldn't give two hoots about who reads their monthly sales figures, HR reviews, etc etc. Anyone who REALLY wants to is going to read them anyway, right? The MAJORITY of companies could care less. Eg. a Club. They sell alcohol and have a couple of restaurants, etc. Exactly the same as the Club down the street. And there is NO competitive advantage for the 'club down the street' to gain by reading the competitors reporting. Not a big deal.
So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)
"Beer is proof that God loves us and wants us to be happy - Benjamin Franklin"
I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.
Where I work (company has over 10^5 employees worldwide), whole disk encryption is standard on all laptops. It is uncommon on desktops, however, and not compulsory on removable devices. All remote access is always encrypted, and requires the correct encryption package and authorizations. A similar situation existed at the place I worked before (about 3.10^4 employees worldwide).
Due to the support and policy infrastructure needed, I suspect encryption is much commoner in large organizations than small ones. How the statistics on use of encryption (TFA says 27%) are formed is another matter.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)
That's another problem altogether - that kind of information should never be carried on one's laptop, period. It should only be accessed through a secure tunnel, and it should reside at HQ. There it should be encrypted.
End anonymous moderation and posting on
If you run a cleaning company or you're a group of plumbers or perhaps you have a fairly large landscape gardening company then your data just is not that important or a target. So this survey is really quite useless, so what is Agnes Cleaners do not encrypt their thumb drives with their cleaning rota on it? Nobody cares. So whilst all organisations should encrypt just because it is sensible, not all organisations really need to bother because the likelihood of anything happening to their data is so small that it's just not worth the effort of sorting out the idiots who call up the part-time IT admin guy because they have forgotten their encryption key (again).
I have to wonder how many of the outfits in TFA's little scare story fall into your category.
Remote access to network resources via a Citrix or other terminal server setup isn't exactly uncommon and means that no data of any interest actually end up on the user's HDD. They could still have a keylogger or screen-grabber lurking; but full disk encryption wouldn't save you from that in any case.
Frankly, unless the remote users are all on fully-managed-owned-and-issued-by-IT laptops, which are the only ones where full disk crypto is really going to be practical on any scale, a terminal server is overwhelmingly easier to set up and run. "Go to our website, click here, receive desktop" is a far simpler instruction than "Establish a VPN connection, now connect to our fileserver to access your documents, now configure your email client, now do all the other little things that would happen automagically if you were on a machine we had set up. Oh, you'll probably be asked for your credentials 10 times or so, because your machine isn't bound to our domain."