No excuse for lack of encryption

Perform a Google search with the following terms: lost personal data. Here’s a sampling of what appeared at press time:

UK families put on fraud alert: Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing (BBC News, Nov. 20, 2007)

AIG: Personal data on 970,000 lost in burglary (USA Today, June 18, 2006)

CD of Georgia personal data lost: In the biggest loss ever of personal information compiled by state government, a computer disk containing data on 2.9 million Georgians has been lost in shipping (Cox News Service, April 11, 2007)

TJX breach involved 45.7m cards, company reports (Boston Globe, March 28, 2007)

Try it yourself here.

And on and on. Open Security Foundation took over’s Data Loss Database in September. DLDB posts a running tally of recent data breaches, their types (lost media, stolen laptop, network hack) and timelines. Within the week this article was written, DLDB reported 10 data loss incidents, ranging from 90 records exposed when a Government of Newfoundland and Labrador system was hacked to 11,000,000 records lost by the South Korean office of energy company GS Caltex.

And despite the almost daily news of data loss, theft and leakage, much of this personal and sensitive information is unencrypted when it’s lost, making identity theft and fraud more likely.


James Quin, senior research analyst with Info-Tech Research Group, tries to sound sanguine, but the frustration bubbles under the surface.

“Lack of encryption is like not quitting smoking,” Quin says. “It’s so blindingly obvious that there’s no reason everyone shouldn’t be doing it.”

According to IDC Canada’s David Senf, 14 per cent of Canadian organizations believe they’re ill-prepared to stop data loss. Another 45 per cent say they’re doing “an OK job – some data stays, some data leaves.”

Among public sector organizations and mid-sized to large enterprises, there’s a strong sentiment that more has to be done, Senf says. “There’s a mix of data companies are worried about,” Senf says. When survey respondents were asked what type of information loss worried them most, customer data was No. 1 – but not by a long shot, Senf said. Forty per cent were most worried about customer data; others prioritized financial information, intellectual property or employee data. How they feel that data’s leaking depends on whom you ask. IT departments fret about USB keys, e-mail and lost or stolen laptops, while many line of business people are still worried about hard copies. In insurance, for example, there’s still a lot of paper floating around.

So companies are aware there’s a problem. Yet still, much of that data that falls into the wrong hands is unencrypted.

“Fundamentally, organizations don’t believe the risk is high enough to warrant the cost,” Senf says.

Quin concurs that cost is a factor.

“People are lazy. People are cheap,” he says. “Encryption solutions are not cheap,” especially those that have to be rolled out to every user, like e-mail encryption.

Companies don’t seem to factor in the cost in terms of brand damage of a leak. “The number of times this happens and the bad press associated with it … at some point, the bad press becomes more expensive (than the encryption solution),” Quin says.

Senf says that companies tend to view the impact of a data loss in terms of lost assets and productivity rather than damage to reputation.

If cost is reason No. 1 for companies foregoing encryption, No. 2 is a perception of complexity. “I don’t think there’s a lot of understanding of the tools,” Quin says. That stems from the early days of public key infrastructure (PKI) encryption and its associated issues regarding key management, escrow, etc.

“When people first saw encrypted e-mail back in the ‘90s, they got inboxes full or encrypted mail and said, ‘What is that?’” says Kelly Mackin, president and chief operating officer of CertifiedMail Inc., which offers in-premise and software as a service e-mail encryption. Early e-mail encryption used secure multipurpose Internet e-mail extensions (S/MIME), with its inherent key and certificate management complexities.

“It’s possible to do it without that complexity and cost to the IT department,” Mackin says.

CertifiedMail and Osterman Research Inc. surveyed 205 companies in North America and Europe on the subject of e-mail encryption. While 22 per cent of users found using manual encryption somewhat difficult or difficult, 44 per cent responded that using the tools is “not too difficult.”

The survey revealed other reasons for not using encryption – difficulty integrating with legacy equipment and scalability issues among them. Then there’s the “white noise” assumption, says Mackin – in the blizzard of traffic, “you assume you’re protected,” even though the address and subject fields are in the public domain.

“The fact that you write ‘Confidential’ on your e-mail means nothing,” she says.

And she believes the obsession with the virus problem has monopolized the security budget – a huge amount of it “goes into digging the moat deeper to keep out the infidels.”

“Encryption solutions aren’t that complex anymore,” Quin says. “Realistically, at the end of the day, there is no good reason (not to use them).

“Backup tapes, absolutely, positively must be encrypted,” he continues. “And laptops … oh my god, I can’t believe people are still not encrypting laptops. That’s the most heinous crime.”

IT security pros trying to plug the holes often run up against budgetary and cultural brick walls, according to Senf, and conflicting priorities like business intelligence or project management initiatives.

One way to make the encryption case to management: Start free, says Quin. Microsoft’s Windows, the dominant operating system on laptops, has had encryption capabilities built-in since the Windows 2000 version. Encrypting File System (EFS), the encryption subsystem of the NTFS file system, isn’t the strongest encryption available – it’s tied to the user’s login – but it’s better than nothing, says Quin. Most backup and database software has some kind of encryption feature – you just have to turn it on.

“Use that as a proving ground,” says Quin. If it’s not adequate, then make the case for something stronger.

Or, you can let something else make the case for you. Senf believes that when a serious data loss incident happens in a particular vertical, there will be a flurry of activity within that vertical. Tighter breach notification rules in PIPEDA will also lead to some adoption.

Of course, e-mail breaches can be intentional. “That’s where data loss prevention (technology) comes into play,” says Senf. But even with that, an employee determined to leak information could take a screen capture or a photo.

“There’s always a way to extract information from a company,” Senf says.

The goal is to minimize it – and make sure what does leak isn’t usable.