After the 9/11 attacks IT security quickly focused on disaster recovery as enterprises learned that data backup and recovery systems were paramount to their ability to continue business operations after an unexpected catastrophic event. Hurricanes Katrina and Rita further strengthened the importance of disaster recovery in a company’s IT security strategy. However, recent events seem to be increasingly shifting the focus of IT security on data protection and, specifically on encryption.

No Problem Justifying Return on Investment

The potential liability exposure resulting from a breach in data security, such as what happened with the data security breaches at TJX that involved the undetected theft of sensitive customer information over an 18-month period is mind-boggling. Although TXJ estimates liability payouts to reach “only” $107 million - which analysts say is highly optimistic since the potential exposure is more likely over $1 billion - such risks clearly justify planning and expenditures to beef up the security of sensitive information. The company also estimates it will spend about $11 million in security consulting fees necessitated to study the causes for the breach and prevent their reoccurence. It doesn’t take a rocket scientist to quickly calculate that had the $11 million been spent up front to avoid even the overly optimistic figure of $107 million in payouts, that the return on investment would have been more than $9 for every dollar spent.

Added to the financial risks are the potential risks of embarrassment. Take, for example, the recent news story that candidate information stored on Monster.com was infiltrated successfully by a Trojan and it’s easy to understand the potential for public fallout that can arise from inadequately protected data. How this will impact the number of candidates who are willing to share their personal contact data with online job sites - critical to the success of any job site - remains to be scene. To date, Monster seems to be quiet on the issue and to be taking the stance that “it was no big deal”.

The potential for financial loss and public embarrassment is also a concern for small and medium sized businesses, perhaps to an even greater degree, since similar events could result in the complete bankruptcy and discontinuation of the business.

An Increasingly Mobile Workforce Adds Fuel to the Fire

As the work force becomes increasingly mobile and road warriors abound, the number of data devices that support mobile workers is also increasing and those devices are becoming more and more affordable, putting them into reach for deployment by an increasing number of small and medium sized businesses as well as large enterprises. Unfortunately, in spite of the great conveniences these mobile devices offer, they can also create a security nightmare for the small and medium sized businesses that mistakenly believe the devices are inherently secure enough without any increased cause for concern.

The main problem with data stored on devices that are getting smaller and smaller is that the devices themselves get easier and easier to lose, especially on the road and they are also getting easier to steal because they conceal easily. When properly put in place, encryption, especially when combined with access control and port management, is an effective means of protecting the important enterprise data contained on such devices.

A survey of attendees at the 2007 InfoSec security conference in London indicated that almost 40 percent of middle and senior-level IT managers felt these portable tools for the road warrior represented their top security concern, 80 percent of those surveyed indicated they have not yet implemented effective security policies for them. And, 76 percent of IT professionals surveyed in a 2006 study by Check Point Software in Belgium, Luxembourg, and the Netherlands, said that they never use any data security to protect information stored on USB devices.

Traditional Network Security is Insufficient

Obviously, network security measures were insufficient to protect the data of TJX customers and Monster candidates. This is obvious in both cases, especially since the Monster Trojan was released through a legitimate employer account log in to access candidate information.

In the case of mobile devices, because users may roam between multiple networks and because users may also take advantage of non-network communications, such as Blue Tooth, network security alone is not sufficient protection for mobile devices either. While networks can provide some degree of protection, such as anti-virus, or anti-spam protection, even to mobile devices, there is still an important need for the device-level “data-at-rest” protection that encryption can provide. All the network security in the world won’t protect sensitive data if the mobile device is stolen or lost.

Why Encryption Makes Sense

Encrypting data makes sense on both mobile devices and for “data-at-rest” on larger storage systems because it makes the data worthless to unauthorized users. Encryption software converts data into “ciphertext”, which must then be decrypted or “un-encrypted” in order for it to be usable. Only users with the proper credentials are able to access the stored data and read it. While the initial indication is that a valid log-on account was used to steal the information stored on Monster, it may be possible that additional encryption measures would have prevented the use of any of the stolen data.

Finding the Perfect Encryption Solution

Whether you’ve been thinking about putting encryption in place to enhance your IT security measures or you’re thinking about replacing an existing solution that’s not meeting your needs, every product is unique. It’s important to understand your specific needs and potential vulnerabilities before you commit to any encryption solution. For example, Pointsec Mobile from Check Point provides one encryption solution for mobile devices running Symbian, Pocket PC, Windows Mobile SmartPhone and Palm by encrypting files on the devices as well as their related memory cards. In doing so, encryption is performed automatically without user intervention, and it allows easy transfer of encrypted data between Pointsec protected devices. Many other top IT security software companies, including McAfee and RSA also offer wireless versions of their encryption software.

These are not necessarily one-size-fits-all solutions. That’s why we suggest that you Contact a security encryption pro from CopiaTECH to help sort out your encryption needs, find the solution that best meets those needs and your budget, and get to work on protecting sensitive data and reducing your exposure to financial risk and your potential for public embarrassment: Before it’s too late.

Related:

Monster.com Data Compromised by Trojan
TJX Sets Aside $2.60 For Each Breached Customer Credit File
Portable Devices Pose Growing IT Security Threat
Wireless Encryption Software - What You Need to Know