Mobile device encryption - a practice not often applied

By Shamus McGillicuddy, News Writer 06 Nov 2006 | SearchCIO.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

"I'm concerned that a great number of companies are still not protecting their data," said John Girard, vice president and distinguished analyst at Stamford, Conn.-based Gartner Inc. "The sales of [encryption] products over the last number of years are still a small fraction of the laptops and mobile devices out there."

It's a known threat and an easy threat to understand, but most organizations don't allocate the resources necessary to bring it truly under control. Carmi Levy senor research analyst, Info-Tech Research Group

Credant Technologies Inc., an Addison, Texas-based vendor of mobile encryption technology, recently surveyed 426 IT professionals worldwide. Eight-eight percent said they know large amounts of sensitive data are sitting on their employees' mobile devices. Seventy-two percent said the best way to protect that data is through encryption. But only 20% said they have actually deployed encryption on those devices.

"Those numbers make sense to me because most of the people we speak with are reporting that it hasn't even hit their radar screen yet," said Carmi Levy, a senor research analyst at Info-Tech Research Group Inc. in London, Ontario.

Levy said there seems to be a mental block among companies about the threat mobile devices present to data security.

"Traditionally, [mobile devices] have been seen as low-powered, low-capacity adjunct to the corporate tool set," Levy said.

However, anyone who reads the news knows that laptops with thousands of sensitive records on customers and employees are lost or stolen every month.

Levy compares the attitude toward unsecured mobile data to drunken driving. The message is clear to everyone: Drinking and driving is dangerous and can have serous legal consequences. Yet thousands continue to die every year in alcohol-related accidents.

"The same ethos applies to mobile data security," Levy said. "It's a known threat and an easy threat to understand, but most organizations don't allocate the resources necessary to bring it truly under control."

The Credant survey asked respondents to list reasons why their companies hadn't adopted encryption. Fifty-six percent said it was due to a lack of funding; 51% said encryption was not an executive priority; and 50% said they were impeded by limited IT resources.

"No one wants to pay for this," Girard said.

Randy Maib, senior IT consultant at Integris Health Inc., an Oklahoma City-based hospital chain, deployed Credant's mobile encryption to all of his organizations' mobile devices five years ago.

"From having conversations with [my peers] it seems more and more are aware that they need to be doing encryption, but a lot of them don't have a basis for where that encryption should take place and in what circumstances," Maib said. "But it's becoming more and more prominent, talk about security and HIPAA [The Health Information Portability and Accountability Act]. But a lot of them haven't heard about client-side encryption. They believe that if they've got a password it's good enough."

Maib said his company's former CIO was the key to putting Intregis on the leading edge with encryption.

"Our previous CIO was an extreme visionary," he said. "We started to go down the road to see who was ahead of the game [in encryption], find out what kind of practices the industry started doing."

"Before that, the bulk of security was physicians and administrative personnel who knew how to enable the security features of the Palm operation system," Maib said.

Maib said about 300 of his company's several thousand doctors are solely using mobile devices for their work, but that population is growing.

He said the physicians were resistant to adopting the encryption at first because they didn't want any impediments to getting patient data. But Maib said he has made it fairly simple for doctors to decrypt data with a PIN.

Girard said encryption is the simplest way to take care of mobile data, but many companies fear implementation.

"There's a lot of fear that encrypting a device will slow it down," Girard said. "There is also concern that an encrypted device is harder to recover, diagnose or repair. Both of these, under certain circumstances, are legitimate concerns. But most devices have more power now."

Girard said users will object to anything that makes it hard to use a mobile device.

"The device is supposed to be easy to use," Girard said. "You put something on here that makes it take more than 30 seconds to log onto a PDA, how am I going to feel? The whole idea is convenience. That's the expectation people have. Make sure any security you put into a device is not distracting to the user, but it can't be transparent."

Levy said IT needs to prioritize mobile encryption. He said mobile devices don't always get attention because companies haven't implemented a mobile security strategy. He said this is partly a legacy of the history of mobile devices being brought into organizations by end users who have connected surreptitiously.

This article originally appeared on SearchCIO.com

Tags: Mobile Authentication and Encryption,  Mobile Policies and Procedures,  Mobile Management Tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Authentication and Encryption Sybase offers enterprise-ready iPhone solution on the App Store Two-factor authentication: Mobile security at your fingertips RIM makes hostile takeover bid for encryption vendor Certicom In-the-cloud defenses for mobile malware Podcast: The truth about network security and mobile device access iPhone encryption is a must for the security-conscious enterprise Sybase iAnywhere launches productivity suite that tunnels critical business apps through email Mobile voice encryption gets cheaper, easier to do Avoiding data breaches through mobile encryption Mobile device security: Improving mobile authentication Mobile Authentication and Encryption Research Mobile Policies and Procedures Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security: Asserting control over mobile devices Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important Mobile Management Tools Future proofing mobile device management Managing mobile device diversity Mobile device management: What can it do for your organization? Managing your company's cellular assets with telecom expense management Sybase adds antivirus and firewall to mobile management suite 3G iPhone fast but lacks management tools mobile enterprises need Motorola Good offers smartphone users NOC-based VPN Latest Zenprise offering helps automate BlackBerry support Virginia mobilizes utility protection data, cutting costs and saving time Despite hurdles, mobile developers eager to build iPhone applications

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CCMP  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) LEAP (Lightweight Extensible Authentication Protocol)  (SearchMobileComputing.com) Open System Authentication (OSA)  (SearchMobileComputing.com) SIM card  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary