Experts say encryption is the best way to protect sensitive data on laptops and other mobile devices. Most IT organisations say they know this. So why do so few companies actually do it?
"I'm concerned that a great number of companies are still not protecting their data," said John Girard, vice president and distinguished analyst at Gartner. "The sales of [encryption] products over the last number of years are still a small fraction of the laptops and mobile devices out there."
Credant Technologies, a vendor of mobile encryption technology, recently surveyed 426 IT professionals worldwide. Eight-eight percent said they know large amounts of sensitive data are sitting on their employees' mobile devices. Seventy-two percent said the best way to protect that data is through encryption. But only 20% said they have actually deployed encryption on those devices.
"Those numbers make sense to me because most of the people we speak with are reporting that it hasn't even hit their radar screen yet," said Carmi Levy, a senor research analyst at Info-Tech Research Group.
Levy said there seems to be a mental block among companies about the threat mobile devices present to data security. "Traditionally, [mobile devices] have been seen as low-powered, low-capacity adjunct to the corporate tool set," he explained.
However, anyone who reads the news knows that laptops with thousands of sensitive records on customers and employees are lost or stolen every month.
Levy compares the attitude toward unsecured mobile data to drink driving. The message is clear to everyone: Drinking and driving is dangerous and can have serous legal consequences. Yet thousands continue to die every year in alcohol-related accidents. "The same ethos applies to mobile data security," Levy said. "It's a known threat and an easy threat to understand, but most organisations don't allocate the resources necessary to bring it truly under control."
The Credant survey asked respondents to list reasons why their companies hadn't adopted encryption. Fifty-six percent said it was due to a lack of funding; 51% said encryption was not an executive priority; and 50% said they were impeded by limited IT resources.
"No one wants to pay for this," Girard said.
Lack of investment in specialised encryption technology isn't always due entirely to customer ignorance, however. Vitamin and health supplement manufacturer Symbion Consumer, for one, considered encryption as one possible mechanism for protecting the data stored on the O2 smartphones that were rolled out to 45 salespeople last year.
Security was a major consideration in IT manager Matthew Moore's evaluation of the technology and its likely management overhead, but the company eventually decided against it. "The smartphones are fairly robust, but not the easiest of devices to maintain and manage," he explains. "They store delta changes to information [between synchronisation with the corporate server] but that's all encrypted within the [O4 Corporation field sales] application" so standalone encryption software wasn't deemed necessary.
In Symbion's case, the biggest issue with the mobile rollout turned out to be the efficient management of the hundreds of megabytes of information the devices were carrying. Because the O4 application handles encryption of this data automatically, the company was able to instead focus its efforts on making changes to archiving and synchronisation policies that have improved the efficiency of the overall solution.
Not all companies have the luxury to decide whether or not security is necessary, however: with increasingly stringent governance requirements forcing companies to tighten up stewardship of sensitive data, encryption is steadily becoming a necessity.
Randy Maib, senior IT consultant at US hospital chain Integris Health, deployed Credant's mobile encryption to all of his organisations' mobile devices five years ago.
"From having conversations with [my peers] it seems more and more are aware that they need to be doing encryption, but a lot of them don't have a basis for where that encryption should take place and in what circumstances," Maib said. "But it's becoming more and more prominent, talk about security and HIPAA [the US Health Information Portability and Accountability Act]. But a lot of them haven't heard about client-side encryption. They believe that if they've got a password it's good enough."
Maib said his company's former CIO was the key to putting Integris on the leading edge with encryption. "Our previous CIO was an extreme visionary," he said. "We started to go down the road to see who was ahead of the game [in encryption], find out what kind of practices the industry started doing."
"Before that, the bulk of security was physicians and administrative personnel who knew how to enable the security features of the Palm operating system," Maib said.
Maib said about 300 of his company's several thousand doctors are solely using mobile devices for their work, but that population is growing. He said the physicians were resistant to adopting the encryption at first because they didn't want any impediments to getting patient data. But Maib said he has made it fairly simple for doctors to decrypt data with a PIN.
Girard said encryption is the simplest way to take care of mobile data, but many companies fear implementation.
"There's a lot of fear that encrypting a device will slow it down," Girard said. "There is also concern that an encrypted device is harder to recover, diagnose or repair. Both of these, under certain circumstances, are legitimate concerns. But most devices have more power now."
Girard said users will object to anything that makes it hard to use a mobile device.
"The device is supposed to be easy to use," Girard said. "You put something on here that makes it take more than 30 seconds to log onto a PDA, how am I going to feel? The whole idea is convenience. That's the expectation people have. Make sure any security you put into a device is not distracting to the user, but it can't be transparent."
Levy said IT needs to prioritise mobile encryption. He said mobile devices don't always get attention because companies haven't implemented a mobile security strategy. He said this is partly a legacy of the history of mobile devices being brought into organisations by end users who have connected surreptitiously.