Experts say encryption is the best way to protect sensitive data on laptops and other mobile devices. Most IT organizations say they know this. So why do so few companies actually do it?
"I'm concerned that a great number of companies are still not protecting their data," said John Girard, vice president and distinguished analyst at Stamford, Conn.-based Gartner Inc. "The sales of [encryption] products over the last number of years are still a small fraction of the laptops and mobile devices out there."
Credant Technologies Inc., an Addison, Texas-based vendor of mobile device encryption technology, recently surveyed 426 IT professionals worldwide. Eight-eight percent said they know large amounts of sensitive data are sitting on their employees' mobile devices. Seventy-two percent said the best way to protect that data is through encryption. But only 20% said they have actually deployed encryption on those devices.
"Those numbers make sense to me because most of the people we speak with are reporting that it hasn't even hit their radar screen yet," said Carmi Levy, a senor research analyst at Info-Tech Research Group Inc. in London, Ontario.
Levy said there seems to be a mental block among companies about the threat mobile devices present to data security.
"Traditionally, [mobile devices] have been seen as low-powered, low-capacity adjunct to the corporate tool set," Levy said.
However, anyone who reads the news knows that laptops with thousands of sensitive records on customers and employees are lost or stolen every month.
Levy compares the attitude toward unsecured mobile data to drunken driving. The message is clear to everyone: Drinking and driving is dangerous and can have serous legal consequences. Yet thousands continue to die every year in alcohol-related accidents.
"The same ethos applies to mobile data security," Levy said. "It's a known threat and an easy threat to understand, but most organizations don't allocate the resources necessary to bring it truly under control."
The Credant survey asked respondents to list reasons why their companies hadn't adopted mobile device encryption. Fifty-six percent said it was due to a lack of funding; 51% said encryption was not an executive priority; and 50% said they were impeded by limited IT resources.
"No one wants to pay for this," Girard said.
Randy Maib, senior IT consultant at Integris Health Inc., an Oklahoma City-based hospital chain, deployed Credant's mobile encryption to all of his organizations' mobile devices five years ago.
It's a known threat and an easy threat to understand, but most organizations don't allocate the resources necessary to bring it truly under control.
Carmi Levy, senor research analyst, Info-Tech Research Group
"From having conversations with [my peers] it seems more and more are aware that they need to be doing encryption, but a lot of them don't have a basis for where that encryption should take place and in what circumstances," Maib said. "But it's becoming more and more prominent, talk about security and HIPAA [The Health Information Portability and Accountability Act]. But a lot of them haven't heard about client-side encryption. They believe that if they've got a password it's good enough."
Maib said his company's former CIO was the key to putting Intregis on the leading edge with encryption.
"Our previous CIO was an extreme visionary," he said. "We started to go down the road to see who was ahead of the game [in encryption], find out what kind of practices the industry started doing."
"Before that, the bulk of security was physicians and administrative personnel who knew how to enable the security features of the Palm operation system," Maib said.
Maib said about 300 of his company's several thousand doctors are solely using mobile devices for their work, but that population is growing.
He said the physicians were resistant to adopting the encryption at first because they didn't want any impediments to getting patient data. But Maib said he has made it fairly simple for doctors to decrypt data with a PIN.
Girard said encryption is the simplest way to take care of mobile data, but many companies fear implementation.
"There's a lot of fear that encrypting a device will slow it down," Girard said. "There is also concern that an encrypted device is harder to recover, diagnose or repair. Both of these, under certain circumstances, are legitimate concerns. But most devices have more power now."
Girard said users will object to anything that makes it hard to use a mobile device.
"The device is supposed to be easy to use," Girard said. "You put something on here that makes it take more than 30 seconds to log onto a PDA, how am I going to feel? The whole idea is convenience. That's the expectation people have. Make sure any security you put into a device is not distracting to the user, but it can't be transparent."
Levy said IT needs to prioritize mobile encryption. He said mobile devices don't always get attention because companies haven't implemented a mobile security strategy. He said this is partly a legacy of the history of mobile devices being brought into organizations by end users who have connected surreptitiously.
Let us know what you think about the story; email firstname.lastname@example.org.