Why do so many IT security projects fail completely? And why do so many Mobile Data Protection (MDP) projects, ‘designed’ to seal the gaps in an organisation’s defences, fail to deliver - leaving egg all over the faces of the IT department and a management team facing the commercial and legal consequences of non compliance and catastrophic data breaches?
There is no easy answer to these questions but even a cursory glance at some high-level failures detects the truth of that old adage: “Failure to plan is to plan to fail.” The UK Government’s £21bn National Health Service (NHS) National Programme for Information Technology (NPfIT) was the classic example of a top-down master plan dictated from on high which presumed that clinicians would accept what they were given by their IT superiors.
The result was a Mexican stand off between the British Medical Association (BMA) with the support of clinicians who merely wanted input into the basic design of the system they would be using. NPfIT failed and the tax payer is now picking up the pieces.
Security of an organisation’s data is vital. It is therefore puzzling that so many organisations fail to succesfully encrypt their data. There is barely a week that goes by without a story in the media about unencrypted lost USB sticks, laptops, Personal Digital Assistants and corporate smartphones (to name only a few and now we can add iPads to the list).
According to Gartner: “Each year, hundreds of thousands of laptops, phones and removable media devices are estimated by various sources to go missing through loss or theft, to have their data copied without consent, and to be upgraded or exchanged without having their data removed.” Gartner also reports that sales of unprotected PC systems continue to outrun the provisioning of MDP.
The Mobile Data Protection (MDP) market is approximately a $1 billion market and growing 20% annually, according to Gartner. Mobile Data Protection products secure data on movable storage systems in notebooks, laptops, smartphones, and various removable media. They may also be used on desktop and servers. A £45 USB drive can hold the names of every person on the planet; an £800 laptop could contain £125 million worth of critical information. This is why encryption is the one security technology that you absolutely cannot afford to have fail.
The end user has to examine why current encryption strategies have failed to protect data, and what steps they will have to take to adopt best practices to effectively shield themselves from the consequences of a significant - and often costly - data breach. According the Ponemon Institute, the loss of a single record in the US can cost a company upwards of $225 to remediate. One of the largest mobile data breaches to date exposed 26 million records from one lost laptop - the potential costs of non compliance are staggering. Since 2005 over ½ a billion people have potentially had their identities exposed due to a data breach according to the Privacy Rights Clearinghouse.org.
As a result, organisations are required to protect data by encryption and to also provide evidence that the protection is working. Buyers who want common protection policies across multiple platforms, minimal support demands and proof that data is protected must do their research and only turn to the trusted experts. What can organisations do to avoid these costly mistakes?
Encrypting sensitive data is now one of the most important safeguards to protect organisations against security breaches, particularly those which arise from loss of hardware. Encryption provides a simple yet effective way of ensuring that lost information is unusable by malicious third parties and reduces both the risk of an actual breach occurring and the cost of remediation if one does.
As the nature, complexity and seriousness of threats grows, and as concerns over loss of sensitive data through removable media and by insiders or disgruntled business partners grows, the regulatory pressure to protect sensitive information - especially in healthcare, finance and retail - has also become acute.
However, despite the avowed interest in encryption of many organisations and the large number of them which have attempted to deploy encryption technology, the size and frequency of data loss and theft continues to grow. Why, if encryption technologies for the PC have been around for almost 30 years, is this the case? The answers may lie with some commonly held assumptions.
Common mistakes to avoid
The IT security industry has grown up over the years with some assumptions about the deployment of encryption solutions which are now outdated (if they were ever true in the first place).
Many encryption deployments are often based around the assumption that a single solution can meet the needs of all types of users, resulting in failure to provide 100% coverage. The problem is that while there may be some degree of conformity within the IT infrastructure (although this is increasingly no longer the case), there is not nearly as much uniformity across types of users and data.
Attempting to force the adoption of any one single encryption technology across an enterprise environment is very unlikely to work. The factors contributing to these include:
- Hardware inconsistencies which are incompatible with device-centric encryption
- A constantly changing Operating System environment (Multiple versions of Windows OS, Mac OS,
- External Media, Symbian, iPhone, Palm OS, Linux, Android etc.)
- The Impact on end-users of deploying encryption solutions
- Difficulties in managing the encryption technology
- The impact on current IT management processes
- Challenges in integration with the broader IT infrastructure
- The cost of end-user training
- The unique problems of a rapidly burgeoning mobile workforce
- Addressing emerging risks such as those posed by removable media, smartphones and mobile devices
The difficulties in using a single encryption technology to meet all these challenges, and the increased pressure to provide more robust security for sensitive data wherever it resides, are now causing many large organisations to rethink their approach to encryption and adopt a far more flexible, risk-oriented strategy.
The key question is how do you select an approach which will meet the needs of your whole organisation and its culture. The key to success in your IT security project is to accept, no matter what anyone else tells you, that there is no single solution which is likely to be the ‘best fit,’ as demonstrated by unsuccessful enterprise encryption rollouts over the past 20-plus years. What is needed is an approach that enables the right encryption solution to be deployed to meet the needs of different parts of your organisation, but to be managed centrally, simply, and with the lowest total cost of ownership.