Slashdot Mirror
Only 27% of Organizations Use Encryption
An anonymous reader writes "According to a Check Point survey of 224 IT and security administrators, over 40% of businesses in the last year have more remote users connecting to the corporate network from home or when traveling, compared to 2008. The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users. Yet, regardless of the growth in remote users, just 27% of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9% of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception."
Using encryption has its drawbacks: .vs. ipsec) doesn't work well with encryption
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller
* skills of your systems management must be higher
As a road warrior I should be using encryption, right? I would be a perfect candidate for it? And yet there is no way I will encrypt my laptop when I travel. The risk of losing access to the data when something goes wrong is far too dangerous to risk it. I have had problems on the road already, yet I have always managed to recover my data either from my laptop or from backups, but what happens when the decryption mechanism or the OS crashes? Carry another laptop? Carry bootable USB-based decryption tools? Sorry, too many variables, too much potential for trouble.
It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.
(1) As long as it is unencrypted, you can still recover it relatively easily.
End anonymous moderation and posting on
I'm with you. In the consulting space, and the MAJORITY of companies don't have anything coming close to 'sensitive corporate data' to fall into the wrong hands that would necessitate encryption. To tell you the truth, the majority couldn't give two hoots about who reads their monthly sales figures, HR reviews, etc etc. Anyone who REALLY wants to is going to read them anyway, right? The MAJORITY of companies could care less. Eg. a Club. They sell alcohol and have a couple of restaurants, etc. Exactly the same as the Club down the street. And there is NO competitive advantage for the 'club down the street' to gain by reading the competitors reporting. Not a big deal.
I have to wonder how many of the outfits in TFA's little scare story fall into your category.
Remote access to network resources via a Citrix or other terminal server setup isn't exactly uncommon and means that no data of any interest actually end up on the user's HDD. They could still have a keylogger or screen-grabber lurking; but full disk encryption wouldn't save you from that in any case.
Frankly, unless the remote users are all on fully-managed-owned-and-issued-by-IT laptops, which are the only ones where full disk crypto is really going to be practical on any scale, a terminal server is overwhelmingly easier to set up and run. "Go to our website, click here, receive desktop" is a far simpler instruction than "Establish a VPN connection, now connect to our fileserver to access your documents, now configure your email client, now do all the other little things that would happen automagically if you were on a machine we had set up. Oh, you'll probably be asked for your credentials 10 times or so, because your machine isn't bound to our domain."