Hardly a month passes without news that a laptop containing unencrypted confidential information has been lost...
by some organisation or other.
Ever since the Nationwide Building Society incurred a fine of £980,000 in 2007 after a laptop containing its complete customer database was stolen from the home of one of its employees, there has been a constant stream of similarly embarrassing and damaging breaches.
The Nationwide fine, and even larger penalties that followed, should have served as a warning for others. However, organisations continued to lose laptops holding all sorts of valuable, unencrypted data.
Three recent examples illustrate the need for effective encryption processes. One machine, stolen from a BBC scriptwriter, held highly secret plotlines for the Christmas episodes of EastEnders. Another, stolen from credit and finance firm NCO Europe Ltd. in Preston, contained the personal records of thousands of MBNA credit card customers.
A third laptop, belonging to the Ministry of Defence (MoD) and holding military secrets, was taken from an office in Whitehall. That machine was encrypted, but the user had left the encryption keys with the computer, making it easy for the thief to see the contents.
Many more equally egregious breaches took place as well, but never made the headlines. The Licensed Taxi Drivers Association estimates that around 1,000 laptops, PDAs and USB sticks are left in the back of London cabs every month. The MoD admitted last year that it had actually lost 658 laptops in the space of four years.
Yet despite the well documented dangers of laptops going missing, most organisations are still reluctant to put in place protective measures to guard their data. For instance, in a survey conducted in November 2009 by Check Point Software Technologies Ltd., only 41% of 135 U.K. public and private sector bodies said they encrypted their business laptops.
One reason for this reticence is confusion over what to encrypt -- selected files or the whole disk -- and how to manage the encryption keys so that companies are not locked out of their data.
One man who has studied the problem is Derek Brink, a vice president and research fellow in IT security at Aberdeen Group Inc., a research company based in Boston. He recently surveyed a group of organisations from around the world, comparing those that had adopted file and folder encryption -- in other words, selective encryption of sensitive data -- with another group that had adopted what he described as using the "blunt instrument" of full disk encryption.
By examining the costs of ownership of each type of encryption, and the incidence of data breaches at the surveyed companies, Brink concluded that full disk encryption is not only more effective, but is also cheaper to run because it requires less user training and management. In the two groups of companies he examined, those using file and folder encryption spent an average of $96 per user a year, compared with $50 per user for those using full disk encryption. Those using full disk encryption also recorded fewer data breaches, and therefore lower costs of recovering from breaches.
"Full disk encryption is on the rise and is gaining in use over file and folder encryption," Brink said. "The simplicity argument is winning out over precision."
While the incidence of laptop loss is still high and unlikely to diminish, Brink said, the safest approach is to ensure the whole disk is encrypted automatically without any user intervention.
"That way, you don't have to worry about whether sensitive data was encrypted or not," he said. "You don't have to rely so much on the proper execution of good policies by trained and knowledgeable end users."
A European company cited in his research said it had chosen full disk encryption, enforced by a centralised management policy, because the company's top executives, who tended to carry the most sensitive information on their laptops, would have resisted any solution that required them to make a decision about what information to encrypt.
As well as installing full disk encryption products to protect their laptops, Brink said the most effective companies have well organised and consistent processes for enrolling users, storing keys centrally, and integrating the systems into their help desk process.
"Some technologies offer centralised key management, which is very important," he said. "We have noticed that the best performing companies can manage a much higher number of keys and endpoints at a lower cost. Successful companies recognise that they have to integrate these other processes, such as password reset and recovery, to support encryption."
But is full disk encryption enough? David Tomlinson, managing director at Taunton-based Data Encryption Systems Ltd,, thinks not.
"If people think that by encrypting their hard disk they've solved all their [data protection] problems, they will be disappointed," he said. "There are still plenty of other ways in which data can leak out."
Users can still copy files from their laptop onto a USB stick, he said, and that information will not be encrypted. They may also email it as an attachment, and again it will be unencrypted. In both those cases, further measures are required to ensure USB sticks and email attachments, where appropriate, are properly protected.
Tomlinson also argued that file and folder encryption still has a role in organisations, even when full disk encryption is in place.
"For instance, if IT support wants to come and look at my machine, I'll have to give them my password to let them on to the disk," he said. "But if it holds confidential files, then I'll want to keep those private."