Forgot your password?
typodupeerror
Encryption Security IT

Only 27% of Organizations Use Encryption 175

Posted by samzenpus
from the here's-all-my-data dept.
An anonymous reader writes "According to a Check Point survey of 224 IT and security administrators, over 40% of businesses in the last year have more remote users connecting to the corporate network from home or when traveling, compared to 2008. The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users. Yet, regardless of the growth in remote users, just 27% of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9% of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception."
This discussion has been archived. No new comments can be posted.

Only 27% of Organizations Use Encryption

Comments Filter:
  • Dont blame IT (Score:4, Insightful)

    by jhoegl (638955) on Thursday January 14, 2010 @03:33AM (#30761886)
    We would do it if we werent undermanned, underfunded, and had competent users.

    Support for things is already maxing many people out, now you want to add this?

    Please.
    • Business As Usual (Score:2, Insightful)

      by Anonymous Coward
      Yeah, blame the users, that will always make up for the fact that they depend on you to take care of these things for them.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Security is not a product, I can give you the best security tools, but if you are too lazy to learn how to use them and the to use them with the needed competence(and paranoia) it will not work. There is no way to transform security in a magic button which an incompetent user just clicks and gets it.

        Secutrity requires effort to check the keys, keep them private, accept the extra steps to apply and check it, remember passwords , keys and credentials ecc.ecc.

        90% users are plainly and loudly annoyed by common

        • by jonwil (467024) on Thursday January 14, 2010 @05:21AM (#30762270)

          There do exist packages that can handle the encryption of at least fixed disks without the user needing to do anything more than the usual login. BitLocker for one (and BitLocker can plug into Active Directory easily)

          With the right software, it is possible to protect the fixed disks of all PCs in the enterprise (including laptops that may only connect to the network through a VPN or may be used in places where there is no network access at all such as airplanes) and the only thing the users have to do is to log in just like they normally do. Mobile devices like Blackberries and Windows Mobile devices also have options for encryption that IT can enable. Even email can be encrypted without the users doing anything special using modern versions of Exchange (at least from what I read with Google)

          • Re: (Score:2, Troll)

            by Spazmania (174582)

            With the right software, it is possible to protect the fixed disks of all PCs in the enterprise

            Unless of course you actually want to use your computer. Then you discover how painfully slow it is. How it happily encrypts your USB drive too, rendering it useless. You take a power point presentation with you and look like a fool in front of your customers because it's encrypted and they can't display it on the projector from you thumb drive.

            Seriously, the windows software-based hard disk encryption solutions r

            • by jonwil (467024)

              Does BitLocker have the limitations you refer to?

              • by cbhacking (979169)

                No, it doesn't, he's either an idiot or a troll.

                BitLocker's ecnrypt/decrypt delay is almost entirely hidden in disk latency. The CPU can do encryption far faster than the disk can do I/O, so unless another program was heavily leaning on the CPU while you're accessing the disk, you won't even notice the slowdown.

                BitLocker in Windows 7 or Server 2008 R2 supports encryption of removable drives, but doesn't make it mandatory and certainly doesn't do it automatically. You (IT) *can* make it mandatory using Group

                • I beg to differ.
                  We use PGP whole disk encryption and let me tell you, you notice the difference between two machines, one with crypto, one without. That said, it's the company's machine. If they want it to be slower but more secure that's their call.

                  Also, on normal tasks this difference may be nominal, but if you're doing a backup and/or virus scan, and doing something else that requires CPU you will bog badly.
                  -nB

          • by omglolbah (731566)

            Bitlocker is as far as I can tell not available for windows XP which makes it unavailable to most corporate users.

            With the slow speed of migration from windows xp bitlocker is hardly something available to most.

            • by cbhacking (979169)

              This is true, although many businesses are upgrading to Win7 and some already upgraded to Vista, both of which support BitLocker (7 moreso than Vista). What's more, a laptop that is intended to carry sensitive data and leave the premises may well have a higher edition of Windows installed specifically to enable BitLocker, even if it also then needs a virtual XP install in order to access some horribly legacy IE6-only ActiveX corporate intranet site.

            • by lorenlal (164133)

              I work in a place where we have to encrypt anything that leaves the front door. We used a third-party encryption tool which I won't name. There was a noticeable slowdown after performing the encryption on our laptop drives, and the interface to encrypt removable media was painful... But it did work for XP.

              Now that we've got some work done on the Windows 7 front, BitLocker makes much less of an impact performance wise... I assumed that it was because the TPM was involved because I didn't even notice the 5

        • by tomtomtom (580791)

          90% users are plainly and loudly annoyed by common access password expire time and complexity requirements. They are simply not intellectually ready to manage encryption of fixed and removable media.

          I have complained to my corporate IT-droids about this before. My issue isn't the expiry (90 days is perfectly reasonable), it's the ridiculous policy they enforce which means that about 70% of the RANDOMLY-GENERATED passwords I try to use won't even work. They enforce: (1) At least one of each of: number, upper case, lower case, symbol; (2) No two consecutive characters a repetition; (3) No two consecutive characters may be adjacent on a QWERTY keyboard; and (4) No three or more consecutive characters are

        • Re: (Score:3, Insightful)

          by Sir_Lewk (967686)

          I can give you the best security tools

          Well according to this article, it seems the vast majority of your peers cannot even be irked to do that much. Blaming users for not knowing how to use software they were never given in the first place takes a special kind of jackass.

          Also, password expire times are idiotic that probably do more to reduce password security than increase it.

    • by physburn (1095481)
      I do blame IT at least partially, a business IT center, might well see the wisdom of data encryption everywhere, but competing against this is, how easy it is to recover lost data (damaged disk, lost passwords or encyrption keys), plus the add complexity of managing the system. If it was built into windows i'm sure many more companies would us it. It is built into linux, but not exactly visable, or well known. Better support in OS would i'm sure make encryption much more commonly used.

      ---

      Cryptography [feeddistiller.com] F

    • by Atrox666 (957601)

      I would push for this if I could sell these people on a functional backup system for the users.
      I can't afford to lower my chances at recovering HDs where no backup exists.
      I also have 11000 computers to deal with in my environment. If it costs $1 per seat for software then I will have no hope at getting funding.

  • Remote Desktop (Score:3, Interesting)

    by Anonymous Coward on Thursday January 14, 2010 @03:39AM (#30761904)

    I telecommute and all my work is stored on the server I remote into.
    As I have no work stored locally there is no encryption (aside from the VPN into the server).

    • Re:Remote Desktop (Score:5, Informative)

      by fuzzyfuzzyfungus (1223518) on Thursday January 14, 2010 @06:15AM (#30762490) Journal
      I have to wonder how many of the outfits in TFA's little scare story fall into your category.

      Remote access to network resources via a Citrix or other terminal server setup isn't exactly uncommon and means that no data of any interest actually end up on the user's HDD. They could still have a keylogger or screen-grabber lurking; but full disk encryption wouldn't save you from that in any case.

      Frankly, unless the remote users are all on fully-managed-owned-and-issued-by-IT laptops, which are the only ones where full disk crypto is really going to be practical on any scale, a terminal server is overwhelmingly easier to set up and run. "Go to our website, click here, receive desktop" is a far simpler instruction than "Establish a VPN connection, now connect to our fileserver to access your documents, now configure your email client, now do all the other little things that would happen automagically if you were on a machine we had set up. Oh, you'll probably be asked for your credentials 10 times or so, because your machine isn't bound to our domain."
  • by Anonymous Coward on Thursday January 14, 2010 @03:43AM (#30761918)

    There are corporate docs using Office 2003 DRM where I work. I'm literally the only person in a multi-national company that can read the docs because I'm the only one who applied the hotfix for the expired certificate.

    IT can't or won't do it through the domain.

  • by upuv (1201447) on Thursday January 14, 2010 @03:43AM (#30761922) Journal

    I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.

    Exactly where does this BS stat come from again?

    • by commport1 (1530901) on Thursday January 14, 2010 @03:57AM (#30761960)
      I'm with you. In the consulting space, and the MAJORITY of companies don't have anything coming close to 'sensitive corporate data' to fall into the wrong hands that would necessitate encryption. To tell you the truth, the majority couldn't give two hoots about who reads their monthly sales figures, HR reviews, etc etc. Anyone who REALLY wants to is going to read them anyway, right? The MAJORITY of companies could care less. Eg. a Club. They sell alcohol and have a couple of restaurants, etc. Exactly the same as the Club down the street. And there is NO competitive advantage for the 'club down the street' to gain by reading the competitors reporting. Not a big deal.
      • As someone else pointed out, as you move up in the size of business, you're more likely to encounter encryption and more stringent security policies. There are definitely many exceptions though on both ends of the spectrum.

        I'm also a consultant, and personally all the user information on my laptop is encrypted. I don't want to ever have to explain to a client that my laptop was stolen with any of their sensitive data available on it.
      • Re: (Score:3, Insightful)

        by Kamokazi (1080091)

        I would mod you higher if possible.

        This is exactly the case. Most places don't need encryption. I read a cleverly worded quote once that said something to the effect that security should serve business goals, and not just be there for security's sake. This is one of those cases. Encryption is a pain in the ass and not usually necessary.

        The only data virtually every company needs to protect is their employees' personal info, generally in HR. SSN's, any Medical info from insurance claims, etc.

        • Re: (Score:3, Insightful)

          by bschorr (1316501)
          What about bank account info? Account numbers and balances? Saved passwords to financial sites or corporate resources? What about customer data? Credit card numbers? We see data in customer sites every day that shouldn't be exposed outside the organization. Granted it's not always found on portable devices but sometimes it is.

          Whole disk encryption is really not difficult to do and it's a heck of a lot easier than having to apologize to all of your customers because you lost an unencrypted laptop with
    • by AliasMarlowe (1042386) on Thursday January 14, 2010 @04:03AM (#30761982) Journal

      I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.

      Where I work (company has over 10^5 employees worldwide), whole disk encryption is standard on all laptops. It is uncommon on desktops, however, and not compulsory on removable devices. All remote access is always encrypted, and requires the correct encryption package and authorizations. A similar situation existed at the place I worked before (about 3.10^4 employees worldwide).

      Due to the support and policy infrastructure needed, I suspect encryption is much commoner in large organizations than small ones. How the statistics on use of encryption (TFA says 27%) are formed is another matter.

      • by bertok (226922)

        I'm a consultant. I have honestly NEVER encountered any user at any company encrypting disk/usb/cd/dvd/email.

        Where I work (company has over 10^5 employees worldwide), whole disk encryption is standard on all laptops. It is uncommon on desktops, however, and not compulsory on removable devices. All remote access is always encrypted, and requires the correct encryption package and authorizations. A similar situation existed at the place I worked before (about 3.10^4 employees worldwide).

        Due to the support and policy infrastructure needed, I suspect encryption is much commoner in large organizations than small ones. How the statistics on use of encryption (TFA says 27%) are formed is another matter.

        I've been to about 100 organisations, and I've seen only 2 with widespread encryption, and only 1 with 100% encryption.

        If you count every organisation that uses SOME encryption, maybe 27%, but even then, how many small businesses use serious security?

      • by david.given (6740)

        ...about 3.10^4 employees worldwide...

        <pedant> 92 employees isn't such a big number. And who's the 0.3521 of an employee? Did someone fail to get out of the way fast enough when closing the tape vault? </pedant>

        • by Neoprofin (871029)
          If you really wanted to be mean you could've pointed out that simply writing out the number would have been more space and time efficient.
    • In what office jobs I've held (mostly inbound customer service), I've never encountered an encryption program deployed company-wide to make sure data stays secure. I did see a lot of company propag-, I mean, materials referencing the need for encryption and good data protection practices. In other words, a lot of hot air.

    • by asc99c (938635)

      Agreed. I'm not in consulting myself, but I do write custom software, and regularly visit customer sites for install and commissioning of the software. I have also never once seen a company encrypting stuff like this. Just one company wouldn't let us connect our own laptops onto their network, and instead provided laptops we could collect each morning. That's about the most security conscious place I've ever encountered, and most of these are very large companies typically tens of thousands of employees

    • by TheCarp (96830)

      Have you worked in health care...recently?

      I think it was only regulations that made us do it. Well, made them do it. When they came to me and asked if I installed their encryption product, I told them that I had been encrypting my drive for over 3 years on my own, and unlike most others, my job really is easier if I run linux than windows, and then I tossed the key size and encryption mode at them (figured if I made their eyes gloss over they wouldn't want to continue the discussion) and told them I would b

    • I'm a consultant.

      That is why you do not see it. The companies that use it know what they are doing, and do not need you.

  • Encryption drawbacks (Score:5, Informative)

    by WetCat (558132) on Thursday January 14, 2010 @03:56AM (#30761950)

    Using encryption has its drawbacks:
    * you must provide a meaningful key management
    * you lose speed of your machines for number crunching
    * you can easily lose data in the event of hardware corruption
    * access to data is a bit harder even for legitimate purposes
    * many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
    * skills of your systems management must be higher

    • by grahamlee (522375) <[iamleeg] [at] [gmail.com]> on Thursday January 14, 2010 @04:14AM (#30762026) Homepage Journal
      Taking those point by point (and staying on topic by discussing hard drive encryption, the subject of TFA):

      * you must provide a meaningful key management

      Depending on the size of the organisation and the purposes for using encryption, key management may not be necessary, though you still need a capable and reliable lost-passphrase-recovery helpdesk which is going to cost.

      * you lose speed of your machines for number crunching

      I think you need to review just how much time you think computers spend reading and preparing data from the hard drive. If you're in the middle of a number-crunching job, it's pretty much negligible. And besides that, most business laptop users (the target users of full-disk encryption) are trying to read e-mail and write Powerpoint slides, they aren't trying to simulate protein folding.

      * you can easily lose data in the event of hardware corruption

      * access to data is a bit harder even for legitimate purposes

      Yes, that's the whole point. It's usually only a bit harder (you have to authenticate before the operating system will boot) but in return for that, the confidentiality of your data is protected. Security is about risk management and if the risk of publicising your company's secrets is more significant than the risk of users losing time by forgetting their passwords, then the trade-off is worth making.

      * many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption

      Firstly, the kind of encryption they're talking about in the article, as implemented by BitLocker on Windows and third-party products on many operating systems, is transparent to operating system processes.

      skills of your systems management must be higher

      Oh noes! I pay my systems managers to manage my systems but don't want to pay people who know what they're doing!

      • by grahamlee (522375)

        Firstly, the kind of encryption they're talking about in the article, as implemented by BitLocker on Windows and third-party products on many operating systems, is transparent to operating system processes.

        Erm :). Secondly, active directory domain controllers are typically run on servers rather than laptops, and full-disk encryption is typically run on laptops rather than servers.

      • Re: (Score:3, Informative)

        by KiloByte (825081)

        * you lose speed of your machines for number crunching

        I think you need to review just how much time you think computers spend reading and preparing data from the hard drive. If you're in the middle of a number-crunching job, it's pretty much negligible. And besides that, most business laptop users (the target users of full-disk encryption) are trying to read e-mail and write Powerpoint slides, they aren't trying to simulate protein folding.

        For typical modern hard disk and CPU speeds, it takes about a single whole core to encrypt/decrypt the data at full bandwidth. That's definitely not a negligible loss. Business users may be not trying to run make -j like we do, but they'll still suffer significantly decreased battery life.

        • Re: (Score:3, Informative)

          by broken_chaos (1188549)

          From my experience playing with dm-crypt under Linux (on a greater-than three year old laptop, nonetheless), the speed and battery impact is surprisingly negligible for anything that doesn't constantly access the disk. Even with constant disk access, it was often less than a 'full core' of CPU utilisation. The only circumstance I can see full disk encryption, even done entirely in software, being a significant drain on performance is with a single core system or an extremely fast hard drive setup. A number

        • by cbhacking (979169)

          Where the hell did you get that number from? Test with BitLocker show a loss of between 14% (old single-core CPU with lots of processes running) and under 1% (high-end quad-core system that could easily have devoted two cores to decryption if anything close to that much was needed - the loss in this case was due to the trivial increase in disk latency caused by running it through the decryption routine). Normal performance loss was under 5% on a typical system of about 18 months ago (dual-core, 2.0 to 2.5 G

        • by nxtw (866177)

          For typical modern hard disk and CPU speeds, it takes about a single whole core to encrypt/decrypt the data at full bandwidth. That's definitely not a negligible loss. Business users may be not trying to run make -j like we do, but they'll still suffer significantly decreased battery life.

          I've used full disk encryption for the past four years. Overall, the loss in performance is negligible unless performing I/O heavy tasks such as running virtual machines or loading a full-sized hibernation image. Running

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I ask, what are the tradeoffs though? Some of these factors can be mitigated. If you use Vista or Windows 7, Bitlocker recovery keys can be plopped into Active Directory.

      The factors for not having encryption are worse, and this is not factoring PCI/DSS compliance, Sarbanes-Oxley, HIPAA, CALEA, and other laws:

      * The legal liability of having records that were likely tampered with, so if there is a tax audit, there is no proof of anything that can stand in a tax court. The IRS or tax body may find that the

    • by bertok (226922) on Thursday January 14, 2010 @06:13AM (#30762472)

      Using encryption has its drawbacks:
      * you must provide a meaningful key management
      * you lose speed of your machines for number crunching
      * you can easily lose data in the event of hardware corruption
      * access to data is a bit harder even for legitimate purposes
      * many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
      * skills of your systems management must be higher

      I know you probably mean well, but every one of those statements is basically false.

      - Active Directory + Bitlocker OR AD + Encrypting File System (EFS) both do automatic key management, key escrow, etc...
      - Bitlocker has no performance impact, it uses the TPM chip. Also, most CPUs are MUCH faster at encryption than disks are at reading or writing data, so it's not a bottleneck even for software-only systems.
      - hardware corruption causes data loss anyway, encryption just ensures that you only ever get valid data. In that respect, it's a little like ZFS -- encryption also provides integrity, as well as security.
      - Access to data on encrypted volumes is NOT harder. It's usually transparent. If you have proper backup procedures in place, you need never access data in non-standard ways. Speaking of which, your backups should be encrypted too!
      - AD works well with encryption, and has its own built in. It's already reasonably secure for most applications, and doesn't really need further encryption. The only AD related protocol that had issues with ipsec is DNS, but Windows 7 and 2008 R2 now support that as well.
      - If you're already deploying Windows Vista or 7 SOEs, adding in Bitlocker trivial, it's basically a checkbox. Deploying ipsec is admittedly a little harder, but it's not exactly rocket science.

      I've implemented extensive encryption before, and it wasn't hard, and the users never noticed. From what I've seen, the lack of encryption is not caused by technical issues, but laziness and politics.

      Security is one of those things that's not a problem day to day, just like backups. The users don't notice, and nobody complains to the managers about it, so it must not be a problem, right?

      You only need security on those rare occasions when there's a hack, or a laptop gets stolen, or some intern sells 10 petabytes of old backup tapes full of customer data on eBay for $35. Of course, when those things happen, it's already too late to implement security. The breach has already occurred. There's no going back in time to tick checkboxes.

      In case you're wondering just how common data breaches are, check out this list of the publicly known ones:

      http://www.privacyrights.org/ar/ChronDataBreaches.htm [privacyrights.org]

      If that doesn't scare you, think about how many more there are that the public didn't find out about. Chances are good that your personal data has been leaked to God-knows-who, probably several times, because of lazy IT admins and inept managers.

      • by lukas84 (912874)

        Bitlocker has no performance impact, it uses the TPM chip.

        Wrong. While Bitlocker utilizes the TPM to ensure a secure boot and automatic unlocking (if so desired), the TPM chip is NOT used to handle the actual encryption/decryption.

        BitLocker in Windows 7 will support the new Core i3/i5 AES extensions for faster encryption, though.

        • by bertok (226922)

          Bitlocker has no performance impact, it uses the TPM chip.

          Wrong. While Bitlocker utilizes the TPM to ensure a secure boot and automatic unlocking (if so desired), the TPM chip is NOT used to handle the actual encryption/decryption.

          BitLocker in Windows 7 will support the new Core i3/i5 AES extensions for faster encryption, though.

          Good point, apparently there is a 30-40% hit on very low-end netbooks (Intel Atom, etc...), but on modern CPUs it appears to be about 10-15% at most.

          I doubt most office workers would notice that, but if you had an SSD, I suppose you'd think twice before turning it on, unless you had a CPU to match!

  • by hwyhobo (1420503) on Thursday January 14, 2010 @03:56AM (#30761952)

    As a road warrior I should be using encryption, right? I would be a perfect candidate for it? And yet there is no way I will encrypt my laptop when I travel. The risk of losing access to the data when something goes wrong is far too dangerous to risk it. I have had problems on the road already, yet I have always managed to recover my data either from my laptop or from backups, but what happens when the decryption mechanism or the OS crashes? Carry another laptop? Carry bootable USB-based decryption tools? Sorry, too many variables, too much potential for trouble.

    It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

    (1) As long as it is unencrypted, you can still recover it relatively easily.

    • by motherjoe (716821) on Thursday January 14, 2010 @04:03AM (#30761980)

      So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)
       

      • by hwyhobo (1420503) on Thursday January 14, 2010 @04:09AM (#30762002)

        So long as you don't work for Equifax, Choicepoint, the IRS, FBI or any other organization that's going to have my SSN on your Laptop. :)

        That's another problem altogether - that kind of information should never be carried on one's laptop, period. It should only be accessed through a secure tunnel, and it should reside at HQ. There it should be encrypted.

        • by aclarke (307017)
          You're right of course. Should, should should. I don't know what business you're in, and what data is on your hard drive. I know I DO have sensitive information on my laptop, much as I try to remove it. For instance, I once had a customer email me a Microsoft Access database with > 13,000 customer records with credit card, CVV code, and full billing name and address. That clearly violated a number of agreements he had in place with his acquiring bank, but it only takes one file like that that you fo
        • that kind of information should never be carried on one's laptop, period.

          I completely agree with you, which is why I think this article is bunk. It shouldn't matter if your company uses encryption on laptops or not, because if your data is too valuable to lose then it's too valuable to be stored on a laptop.

          VPN -> Citrix -> Data.

        • That's another problem altogether - that kind of information should never be carried on one's laptop, period. It should only be accessed through a secure tunnel, and it should reside at HQ.

          My wife's a doctor. She uses an electronic medical records package that runs on a dedicated, non-Internet-connected server back in her office. She also travels to nearby towns to host remote clinics maybe 6-8 times a month. For that, she uses the same software on a laptop that syncs against the server whenever she's in her main office.

          The infrastructure you're so certain we should use does not exist here. Most of these clinics are in small towns, population under 1,000, and don't have any Internet access in

    • by upuv (1201447)

      100% Agree. The simple fact is if I encrypt it here I can't un-encrypt it there. Translation. My hard disk uses version 1.5.3.6.3.222.43..56666.333 of software BLOTZO.supersafe.org and nothing else I own does. My HD goes cactus I'm screwed.

      I simply can't trust that I can recover from a failure. Even if I carry the magic secret key to the encryption.

      It'll cost "me" more to recover than to have stolen.

      P.S. I will go down on assault charges the next time some moron un-plugs my usb drive without safely eje

      • Re: (Score:3, Insightful)

        by jimicus (737525)

        100% Agree. The simple fact is if I encrypt it here I can't un-encrypt it there. Translation. My hard disk uses version 1.5.3.6.3.222.43..56666.333 of software BLOTZO.supersafe.org and nothing else I own does. My HD goes cactus I'm screwed.

        I simply can't trust that I can recover from a failure. Even if I carry the magic secret key to the encryption.

        It'll cost "me" more to recover than to have stolen.

        P.S. I will go down on assault charges the next time some moron un-plugs my usb drive without safely ejecting it.

        Which is why the correct response to "Oh dear my OS has failed and I now can't recover any of the encrypted data that was on the hard disk" is NOT "I'll have to crack out the bootable USB rescue disk that has never been properly tested and cannot possibly work in all circumstances".

        The correct response is "Oh well, that's what the backup is there for".

        (How easy it is to enforce your users not storing data on their laptops - or if they must do so guaranteeing they have a working backup facility in place - is

      • by bschorr (1316501)
        Our company has a really cool product that we sell to our customers for recovering data in the case of a drive failure. It's called a "backup".

        It's been in the papers, you should check it out. ;-)
    • Re: (Score:3, Insightful)

      by Jeian (409916)

      It depends on your job. If you're, say, a marketing consultant, encryption probably isn't all that important. If you work for a credit card processing company (I previously worked in the IT department for one) you absolutely should be using encryption.

    • Re: (Score:3, Insightful)

      by Orlando (12257)

      It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

      I would go even further - What is the mathematical probability of someone stealing my [laptop] AND be interested enough in the data on the disk to bother trying to get access to it.

      Even without encryption, getting access to the data on a laptop which uses OS password authentication requires some time and

      • by IBBoard (1128019)

        Even without encryption, getting access to the data on a laptop which uses OS password authentication requires some time and knowledge

        I'm not exactly sure I'd call "throw a Linux Live disk" or "unscrew the HDD compartment, remove the disk and hook it up to a desktop" things that require much time or very much knowledge.

        Chances are that thefts probably are to sell it and that they aren't interested in the data, but companies still shouldn't want to risk it (particularly if they work in a more sensitive envir

        • by Orlando (12257)

          I'm not exactly sure I'd call "throw a Linux Live disk" or "unscrew the HDD compartment, remove the disk and hook it up to a desktop" things that require much time or very much knowledge.

          You wouldn't call it much knowledge, but you're reading Slashdot, right? The vast majority of laptop thieves wouldn't know or care how to do this.

      • I would go even further - What is the mathematical probability of someone stealing my [laptop] AND be interested enough in the data on the disk to bother trying to get access to it.

        Two words you might want to consider...

        "industrial" and "espionage"

        Software installed and versions for further hacking attempts on the rest of the infrastructure.
        Sales, marketing, pricing information. Release timing information.
        Source code in products.

        You name it.

        The information is almost certainly far more valuable than the hardware, to the right people.

        • by tomtomtom (580791)

          Hmm. The thing is, in almost all industries where the incentives are sufficient for industrial espionage to be a credible threat, forms of collusion or cartels are almost certainly a greater threat leading to the same outcome.

          If you have medical records, state secrets or financial information, then OF COURSE you should be taking these sorts of precautions (and not storing this data on laptops is the first precaution you take). Common thieves stealing bank or credit card details is a credible threat. Journal

      • Re: (Score:3, Interesting)

        by aclarke (307017)
        If you have sensitive customer data on your computer, by law you may be required to notify those customers if the data is lost. Or, you may decide that morally it is the right thing to do. Therefore, you also have to balance the potential bad press your company's announcement will generate based on you losing your laptop, whether or not you know that the people who stole it are going to access the data.

        Risk management is more than just the likelihood of your laptop being stolen and your data being acce
    • by Bert64 (520050)

      And if your OS fails to boot, you will need to carry bootable media with you in any case.

      There are also hardware encrypted drives, OS independent, no performance hit, no software to become corrupted... The only thing that would stop you getting at your data is a hardware failure, and a hardware failure will break an unencrypted drive just as badly.

      • a hardware failure will break an unencrypted drive just as badly.

        I have found myself in a situation where my laptop was field-unrecoverable. Yet, since I carry a fairly common model of a Thinkpad, I was able to borrow one from the site I was visiting, and a simple drive swap solved the problem.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I also use a laptop often. However, I use TrueCrypt or BitLocker on Windows, and PGP WDE on my Mac. Why? Because if my laptop was stolen, I'd rather have it be "just" a hardware theft that I can get a police report, file a claim on my insurance, and replace my hardware. Without encryption, I would have not just a hardware theft, but a possible theft of:

      * License keys to the OS and apps. A volume license key for a popular app is a boon for pirates.

      * Personal Documents on the hard disk which can be used

    • Re: (Score:2, Informative)

      by Radtoo (1646729)

      but what happens when the decryption mechanism or the OS crashes? [...]

      It all comes down to a simple calculation - what is the mathematical probability of someone stealing my drive vs. my OS or disk crashing?(1) Anyone who has traveled knows the second far outweighs the first.

      (1) As long as it is unencrypted, you can still recover it relatively easily.

      Well, I'm not sure what encryption solution you might have tried. I for one have been using first TrueCrypt and then LUKS on a laptop. It traveled far and its hard disk drive already had to be replaced twice. There never were any particular pains with encryption.

      First and most important of all, backups and encryption do not interfere. So you obviously DO backup such a laptop that may get stolen, lost, or break completely. Certainly, if you use encryption, you want to have the software needed to decrypt an

    • but what happens when the decryption mechanism or the OS crashes?

      It sounds like you haven't tried it and don't really understand the mechanisms (understandable).

      The answer is you carry a rescue disc/USB, same as always if you want to be able to deal with eventualities on the road. /boot needs to be unencrypted anyway, so you can keep a rescue kit there as well.

      I don't think I've ever heard of anybody losing their data because LUKS failed. The filesystems you put on top of the encryption layer, sure, they'

  • by Wizarth (785742) on Thursday January 14, 2010 @03:59AM (#30761964) Homepage

    That is a larger percentage then I expected. I wonder if the statistics were collected by asking people if they used it, and the percentages were more the amount of people who knew they should be.

    • That is a larger percentage then I expected. I wonder if the statistics were collected by asking people if they used it, and the percentages were more the amount of people who knew they should be.

      It probably is directly proportional to the percentage of businesses leaving Windows behind. The number is growing rapidly, but to avoid harassment of all kinds, including pesky sales drones, they try not to be visible about it.

  • that's because (Score:3, Informative)

    by rastoboy29 (807168) on Thursday January 14, 2010 @04:30AM (#30762074) Homepage
    we geeks haven't made it easier to use.
  • There is no way it is that high.

  • by vadim_t (324782) on Thursday January 14, 2010 @04:49AM (#30762156) Homepage

    There's one use for encryption people don't generally discuss: tech service.

    I've been running a home server for a long time. Such systems over time accumulate years worth of mail, which will contain private data, website passwords, and so on. I personally feel uncomfortable with sending a disk containing years worth of data to a tech support department when I want to say, get it replaced under warranty. There have been a few stories about underpaid techs looking for music and porn on customers' hard drives. And if the disk is broken I can hardly erase it properly.

    So my solution:

    For servers, encrypt the disk, and keep the key in an USB drive always plugged into the server. If a disk breaks, I remove the disk, and send it for warranty replacement without worrying about the data.

    For laptops, I use Ubuntu's disk encryption. It's even better there as laptops usually don't have RAID, and may break for multiple reasons that I can't personally fix.

    • For servers, encrypt the disk, and keep the key in an USB drive always plugged into the server. If a disk breaks, I remove the disk, and send it for warranty replacement without worrying about the data.

      For laptops, I use Ubuntu's disk encryption. It's even better there as laptops usually don't have RAID, and may break for multiple reasons that I can't personally fix.

      Funny, you did not consider not downloading and storing porn in your hard disks.

      • by vadim_t (324782)

        Why would I worry about porn? If some tech drone sees there's porn there, big deal.

        Now something that worries me a lot more is somebody digging up a credit card number from the browser cache.

        • > Why would I worry about porn? If some tech drone sees there's porn
          > there, big deal.

          Unless the tech drone and his pointy-hair store-supervisor think, she
          looks less than 18. Before you know it, a police report has been
          filed, questioning ensues and a whole mess in general descends upon
          you that you may never quite extricate yourself from again...even if
          she was 23 at the time but who's gonna ask her...

    • by cbhacking (979169)

      Indeed, the ability to fairly irrevocably destroy all data on the disk (by removing all recovery keys to the encryption) is one of many advantages to whole-disk encryption. Granted it's less secure than overwriting the platers with random data 17 times and then running a magnet over them for good measure, but it's a preventative measure and as you point out it's something that you can do before a disk dies, to ensure the data is irrecoverable even if you can't write to it anymore but somebody malicious with

    • by butlerm (3112)

      I never send hard drives in for warranty service or replacement. If they have confidential data on them, I beat them up with a hammer and throw them away. If the drives actually work, and aren't hopelessly old, I put them on a shelf instead.

      As far as encrypting data at the block level is concerned, I doubt it will become prevalent until it is a standard feature of every common operating system. Even then there will be many systems that won't use it without hardware encryption support, because it will be

  • by frinkacheese (790787) on Thursday January 14, 2010 @05:07AM (#30762226) Journal
    If you run a cleaning company or you're a group of plumbers or perhaps you have a fairly large landscape gardening company then your data just is not that important or a target. So this survey is really quite useless, so what is Agnes Cleaners do not encrypt their thumb drives with their cleaning rota on it? Nobody cares. So whilst all organisations should encrypt just because it is sensible, not all organisations really need to bother because the likelihood of anything happening to their data is so small that it's just not worth the effort of sorting out the idiots who call up the part-time IT admin guy because they have forgotten their encryption key (again).
    • by grahamlee (522375)
      How about Agnes Cleaners' contact database, containing all their customer records?
      • by TheLink (130905)
        Who really cares about contact databases? They're just a bunch of public info - stuff in business cards. Unless Agnes Cleaners is a CIA front company it'll be no big deal.

        It's likely that their customers already list themselves on the "Agnes Cleaners Facebook fan page" and post stuff like "hey I'm going to Florida, but I've changed the locks - stupid lock broke, so you can find the key under the doormat".

        Most people don't care about secrecy. And in most cases it doesn't matter, because fortunately most peop
    • Does Agnes Cleaners work for anyone with a medical condition that requires a cleaning support staff? That service may even be paid for in whole or part by a public (Medicare) or private health insurer.

      HIPAA!

  • I have no idea if this is at all a best-practice (nost likely not), but I still feel like sharing how encryption is used in our 2-person office.

    I set up disk encryption (with dm-crypt) for the linux server data drives and their backup drives only. The (Windows) desktop clients are dumb machines in the sense that no data stored localy, except installed applications. All work is done on files on the server directly.

    My main worry is that someone walks away with the server machine and/or the backup drives

  • Seriously, what makes you think there would be any corporate data on my home computer when I work from home? Allowing anything like that is just insane. No sane organisation would ever allow that. (Obviously the UK government is no sane organisation by that definition).
  • by barzok (26681) on Thursday January 14, 2010 @06:53AM (#30762642)

    thousands of businesses are using plain FTP and email to throw unencrypted files around to & from other companies daily.

  • I've seen disk encryption set ups where you never have to supply an outside key or password to start up the computer--it's all self contained. Meaning that all the information necessary for decryption is being kept on the disk. Yeah, that's secure.

  • The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users.

    And my left arm is made of up to 75% cheese.

    Is it just me, or is that line a little misleading?

  • The amount of data in typical business documents and email now vastly exceeds the amount of data you need to push out to a thin client to provide a good user experience. Why not leave the hard drive and all of the data they contain in your home office and only take home the keyboard and screen to display it with [aimtec.co.uk] (which DOES use an encrypted channel back to the data center). That's what my company does and if a Sun Ray thin client or Gobi laptop ever goes missing, so be it, pull another one off the shelf a
    • by langelgjm (860756)

      I like this quote from your link:

      "And, because a Sun Ray Client doesn't contain a disk drive or any means of persistent data storage, it's an unattractive target for theft."

      And how do they think the average thief is going to know that it doesn't contain a disk drive? Probably be better off spray-painting it hot pink, that might make it an unattractive target.

      • "And, because a Sun Ray Client doesn't contain a disk drive or any means of persistent data storage, it's an unattractive target for theft."

        And how do they think the average thief is going to know that it doesn't contain a disk drive? Probably be better off spray-painting it hot pink, that might make it an unattractive target.

        Yes, unfortunately the Sun Ray Client laptops I've used have a similar form factor and weight to fat client laptops. A Sun Ray 2 doesn't look much like a PC, though it does look like a Wii which might make it a target for thieves. Either we need a dumb thief "How to tell if you're stealing a PC?" education program or we need to accept that there will be thieves and make sure they only get away with the hardware, not the data or software.

  • Of those 27% (Score:4, Insightful)

    by TejWC (758299) on Thursday January 14, 2010 @09:30AM (#30763720)

    I wonder what percent of them wrote their password on a post-it note attached to their laptop.

    • by bschorr (1316501)
      That would probably be the percentage who mistakenly think that randomness is more important than length when it comes to passwords.

      I see orgs all the time who think that "X7Y^i!6" is an awesome password. They force their users to create passwords they can never remember, despite the fact that they're only 6 or 7 characters long.

      In fact they're far better off using pass PHRASES that the user can remember and are longer, and setting an intelligent account lockout policy. The phrases don't need to be writte
  • by onyx00 (145532) on Thursday January 14, 2010 @09:57AM (#30764074) Homepage

    I work at a Fortune 100 company and we recently (1 year ago) deployed disk encryption to all laptops. It sucks honestly. You can't do image backups anymore, not to mention backups are questionable because you don't always know how the backup is being done (low level copy, file copy, etc.). Furthermore, it SLOWS compiles, etc. way way down. When you are hitting the disk a ton to compile, the encryption takes a huge toll. And finally, if something does wrong on the disk, well your data it at the hands of an IT guy they hired last week. Even worse, they won't give IT-contractors the keys to fix encryption issues, so only a limited staff can deal with disk encryption issues encountered.

  • 27% might actually use encryption someplace. Probably it is more like 1% that use encryption properly.

    I don't know how many times I will see a laptop sitting on a desk, all encrypted up, all tight and secure and shit, and happily backing up to an external unencrypted hard drive each night that is sitting right next to it on the desk.

    Perfect example of how statistic lie, and how IT policy is so easily circumvented. It also shows how much stupid/silly IT policy is created, that only marginally does what it is

  • In many cases, the real risk of someone accessing data is much less than the risk of losing encrypted data because you lose the means to decrypt it. I've seen users who've encrypted their own disks go to support when they forget the passphrase and insist that support decrypt it for them... er, no, sorry, you're screwed.

    Or let's say you get a hard drive failure and lose data that isn't backed up (it happens, even if you think you're careful). With an unencrypted disk, depending on the failure, you have an ou

  • Anybody else notice the irony of having a thread about how few people encrypt their mobile devices just a couple of stories below a story about the government seizing laptops?

"If that makes any sense to you, you have a big problem." -- C. Durance, Computer Science 234

Working...