Experts say
encryption is the best way to protect sensitive data on laptops
and other mobile devices. Most IT organizations say they know this.
So why do so few companies actually do it?
"I'm concerned that a great number of companies are still not
protecting their data," said John Girard, vice president and
distinguished analyst at Stamford, Conn.-based Gartner Inc. "The
sales of [encryption] products over the last number of years are
still a small fraction of the laptops and mobile devices out
there."
 | | | | | It's a known threat and an easy
threat to understand, but most organizations don't allocate the
resources necessary to bring it truly under control.
Carmi Levy
senor research analystInfo-Tech Research
Group |
| | | | | |
| |
|
Credant Technologies Inc., an Addison, Texas-based vendor of mobile
encryption technology, recently surveyed 426 IT professionals
worldwide. Eight-eight percent said they know large amounts of
sensitive data are sitting on their employees' mobile devices.
Seventy-two percent said the best way to protect that data is
through encryption. But only 20% said they have actually deployed
encryption on those devices.
"Those numbers make sense to me because most of the people we
speak with are reporting that it hasn't even hit their radar screen
yet," said Carmi Levy, a senor research analyst at Info-Tech
Research Group Inc. in London, Ontario.
Levy said there seems to be a mental block among companies about
the threat mobile devices present to data security.
"Traditionally, [mobile devices] have been seen as low-powered,
low-capacity adjunct to the corporate tool set," Levy said.
However, anyone who reads the news knows that laptops with
thousands of sensitive records on customers and employees are lost
or stolen every month.
Levy compares the attitude toward unsecured mobile data to
drunken driving. The message is clear to everyone: Drinking and
driving is dangerous and can have serous legal consequences. Yet
thousands continue to die every year in alcohol-related
accidents.
"The same ethos applies to mobile data security," Levy said.
"It's a known threat and an easy threat to understand, but most
organizations don't allocate the resources necessary to bring it
truly under control."
The Credant survey asked respondents to list reasons why their
companies hadn't adopted encryption. Fifty-six percent said it was
due to a lack of funding; 51% said encryption was not an executive
priority; and 50% said they were impeded by limited IT
resources.
"No one wants to pay for this," Girard said.
Randy Maib, senior IT consultant at Integris Health Inc., an
Oklahoma City-based hospital chain, deployed Credant's mobile
encryption to all of his organizations' mobile devices five years
ago.
"From having conversations with [my peers] it seems more and
more are aware that they need to be doing encryption, but a lot of
them don't have a basis for where that encryption should take place
and in what circumstances," Maib said. "But it's becoming more and
more prominent, talk about security and HIPAA [The Health
Information Portability and Accountability Act]. But a lot of them
haven't heard about client-side encryption. They believe that if
they've got a password it's good enough."
Maib said his company's former CIO was the key to putting
Intregis on the leading edge with encryption.
"Our previous CIO was an extreme visionary," he said. "We started
to go down the road to see who was ahead of the game [in
encryption], find out what kind of practices the industry started
doing."
"Before that, the bulk of security was physicians and
administrative personnel who knew how to enable the security
features of the Palm operation system," Maib said.
Maib said about 300 of his company's several thousand doctors
are solely using mobile devices for their work, but that population
is growing.
He said the physicians were resistant to adopting the encryption
at first because they didn't want any impediments to getting
patient data. But Maib said he has made it fairly simple for
doctors to decrypt data with a PIN.
Girard said encryption is the simplest way to take care of
mobile data, but many companies fear implementation.
"There's a lot of fear that encrypting a device will slow it
down," Girard said. "There is also concern that an encrypted device
is harder to recover, diagnose or repair. Both of these, under
certain circumstances, are legitimate concerns. But most devices
have more power now."
Girard said users will object to anything that makes it hard to
use a mobile device.
"The device is supposed to be easy to use," Girard said. "You
put something on here that makes it take more than 30 seconds to
log onto a PDA, how am I going to feel? The whole idea is
convenience. That's the expectation people have. Make sure any
security you put into a device is not distracting to the user, but
it can't be transparent."
Levy said IT needs to prioritize mobile encryption. He said
mobile devices don't always get attention because companies haven't
implemented a mobile security strategy. He said this is partly a
legacy of the history of mobile devices being brought into
organizations by end users who have connected surreptitiously.
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer