The continuing failure by most enterprises to encrypt sensitive data stored on laptops and other mobile devices is inexcusable, analysts said following BP's disclosure this week of a data compromise involving a lost laptop.
The computer contained unencrypted personal data such as names, Social Security numbers and dates of birth belonging to about 13,000 individuals who had submitted claims with the company over last year's disastrous oil spill.
According to BP, an employee lost the laptop while on routine business travel.
The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks, and other mobile devices account for a substantial portion of breaches these days.
According to statistics maintained by the Privacy Rights Clearinghouse, about 30 of the 144 data breaches announced so far this year, for instance, involved portable devices.
Security analysts have long pushed the use of encryption as one of the most effective ways of protecting data on portable devices, especially laptops, against these sorts of breaches.
Even so, a distressingly large number of companies have continued to ignore the advice -- some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.
"There really is no excuse for not encrypting laptops," said Avivah Litan, an analyst with Gartner.
Enterprises that buy in volume can get encryption products for as little as $15 per laptop, so cost shouldn't be an issue, Litan said.
Similarly, while full disk encryption can have an impact on laptop performance, the trade-off in terms of better security is fully worth it, Litan said.
"Enterprises that are not putting in laptop encryption are just being lazy," she said.
The growing cost of data breaches in particular should be pushing companies to adopt portable encryption more aggressively, say analysts. The Ponemon Group released a report last month showing how companies that experience data breaches these days can end up paying close to $214 per compromised record on average.
"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst with Spire Security.
The only legitimate barrier that companies can claim is the management overhead associated with laptop overhead. And even here, enterprises should be doing more in pushing their vendors for more easily manageable products, he said.
"I am not a fan of regulations in general so I am not ready for a mandate," from government requiring laptop encryption, he said. "However, some sort of penalty on loss might be in order."
Sign up for Computerworld eNewsletters.