This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
On the Horizon
New business initiatives mean new threats. Are you ready?
From January to May of this year, the Identity Theft Resource Center tracked 136 major identity thefts affecting 56 million people. According to the Ponemon Institute, 45 percent of such breaches result from missing laptops. At an average corporate cost of $182 per compromised record, why doesn't every company encrypt laptop data?
"Worldwide, about 20 percent of laptops are encrypted," says Richard Stone, vice president of marketing at mobile security vendor Credant Technologies. "A year ago, one barrier was budget, but most companies have now gotten past that. During the VA incident, envelopes alone to notify those affected cost $11 million. Encrypting that data would certainly have cost less."
Stone believes that many companies do not yet encrypt laptop data because they have not determined exactly what they must do to comply with regulations and make their organization secure. "Measure twice, cut once applies to encryption," he says.
Today, most companies that encrypt laptops start with a mandate. "Ten years ago, our customers made IT-initiated point decisions," says Gerhard Watzinger, CEO of SafeBoot, which also secures mobile devices. "Now, the No. 1 driver is compliance, with corporate-wide rollouts initiated at the board level."
Alexandra Kim, executive director of ISS technology at George Washington University, experienced
"It's an idea we've had for years, but a 2006 board meeting gave us a turbo charge," she says. GWU then created a five-phase plan to encrypt all confidential data with Utimaco SafeGuard. "We segmented the population and did those at the top first. Our first phase covered all users who access confidential data and carry laptops. Our next phase will encrypt all desktops in departments that use confidential data."
Highmark Blue Cross/Blue Shield in Pennsylvania found motivation aplenty to encrypt thousands of laptops and desktops. "We're a DoD (Department of Defense) contractor; we're also bound by HIPAA and SOX," says Chris Kashner, desktop specialist. "We see other companies losing data and didn't want our name in the headlines."
To address those concerns, Highmark deployed GuardianEdge Hard Disk Encryption, first to laptops, then to teleworker desktops. To stop flash drive leakage, Highmark later added Pointsec Media Encryption.
This was first published in July 2007