Security lapses highlight need for mobile data encryption

IT Leaders are insisting on a "No encryption - no laptop" policy

How many times do significant data losses have to occur before both private- and public-sector organisations face up to the fact that encryption, whether applied to laptops, USB memory devices, or other mobile devices, is the only sure-fire way of stopping personal and business-critical data from going astray?

Recently, four NHS trusts have been found in breach of the Data Protection Act (DPA) by the Information Commissioner's Office (ICO), and all of them have agreed in future to encrypt all portable and mobile data on devices.

Password-protected but unencrypted data was on desktop and laptop systems stolen in separate incidents from North West London Hospitals and Hull & East Yorkshire Hospitals NHS Trusts. The other two cases of data breaches both involved USB Flash memory sticks. One was a privately owned and unencrypted stick, containing personal data from Cambridge University Hospitals NHS Foundation Trust, which was found by a car wash attendant. In the other case, an encrypted computer memory stick was lost, however when found it had a Post-it note stuck to it with the password on it.

Castigating the NHS trusts involved, assistant Information Commissioner Mick Gorrill said, "Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them."

Asked whether complexity or money was stopping organisations from deploying device-level encryption, Butler Group senior research analyst Andy Kellett said: "I think it's a combination of those things and also a lack of knowledge. Certainly, more organisations are taking more of an interest in the need to encrypt data taken beyond the firewall."

The 1998 Data Protection Act, apart from giving individuals and organisations the right to know what information is held about them, provides a framework to ensure proper handling of that information. Key to the act are eight principles governing the processing of personal information, the seventh one being that personal information must be "secure".

On the ICO web site, two data security tips stand out with regard to protecting both personal and corporate data. First calls for organisations to " encrypt any personal information held electronically if it will cause damage or distress if it is lost or stolen”, while the second recommends that old computers should not be disposed of "until all the personal information on them has been securely removed (by using technology or destroying the hard disk)”.

A recent Forrester report entitled The State of Enterprise IT Security: 2008 to 2009, which surveyed 942 IT managers in North America and Europe found that IT security budgets were increasing to an average of 12.6 per cent of IT operating expenditure spend, up from 11.7 per cent in 2008.

Full-disk encryption was cited as the top client security technology to be piloted or adopted this year, along with file-level encryption, with a fifth of organisations saying they expected to pilot or adopt data-leak prevention (DLP) during the next 12 months, although the focus was on network-based DLP, rather than devices.

The biggest factors hindering the implementation of data security strategies were cost, business justification, and solution complexity, according to the survey.

Butler Group’s Kellett added that using the economic downturn as an excuse for non-deployment was very misguided: “OK, we're in a downturn – but we have to ensure that the business is firing on all cylinders and the last thing we want to be is on the front page of Computing surrounded with bad headlines.”