It looks like encryption's dead. At least, that's what the numbers say. The recent InformationWeek Analytics State
of Encryption Survey found that only 38% of organizations use mobile device encryption. That's an amazing number, considering the payoffs of protecting your most vulnerable systems.
In any given internal security assessment I'm involved with, mobile device security almost always shows up at the top of the priority list. The problem is that mobile devices like laptops, external hard drives and smartphones take sensitive business information and place it outside the otherwise secure "internal" realm and scatter it about the enterprise. The fact is that once electronic information gets out to multiple locations like this, there's no reasonable way to get it back or know if it's ever going to be protected the way it needs to be.
You're also going to have a hard time proving that data was or was not protected at any given time once it's out of your control. Not good for compliance. Not good in the eyes of a judge or jury, either.
Many privacy and security regulations mandate encryption or at least allow exemptions on encrypted personally identifiable information (PII). It would seem like a no-brainer. Encryption is certainly not comprehensive security, but at least encrypting mobile PII where you know it's at risk seems like common sense to me. But politics, culture and bureaucracy often stand in the way of common sense -- at least until a breach occurs. Therein lies the predicament any given business is in right now. Not only that, but:
- Practically everyone uses some sort of mobile device.
- Mobile devices and add-on storage are cheap.
- The technologies are getting smaller while the storage space grows (multi-gigabyte micro SD chips for smartphones are as small as a fingernail).
- Anyone can buy and use mobile devices in your environment and you'll never know.
- Chances are near 100% that something of business substance is going to end up mobile and unsecured.
- Mobile devices typically fall outside the scope of network management, security assessments and compliance oversight.
- Your users will experience loss or theft of a mobile device -- it's only a matter of time.
If you don't think you'll be able to take on the design and implementation headaches associated with mobile device encryption, then by all means get your vendors more involved. Vendors will often provide an engineer or two to help with the design, implementation and tweaking of technologies you've purchased.
When it comes to addressing the myriad compliance requirements I still see, default back to one of my core principles: Get back to basics. Finding the 20% low-hanging fruit such as unsecured mobile devices and plugging those holes will easily account for 80% of the value of your information security and compliance efforts. You can perform an in-depth risk assessment and do follow-up audits to determine where things stand. That's fine and good. But you don't need to make it that difficult to get started.
The fact is that if you have mobile computing devices like laptops, flash drives, external hard drives and smartphones (and who doesn't?) and you use them for any sort of business transactions, odds are that there's something on them waiting around to put your business in a bind. If you can't make that business case for mobile device encryption -- especially given the relatively small investment -- I really don't know what can be done about security.
It doesn't matter what type of industry you're in, or how big your business is. Mobile device security is a problem affecting everyone right now, and encryption is a real big part of the solution. Might you at least consider it?
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. He can be reached at www.principlelogic.com.