Article by Mark Henricks
Almost none of the personal computers equipped with Microsoft’s BitLocker data encryption software are actually encrypting data with it, according to a new study.
The report, by security vendor OPSWAT, found just 1.47 percent of Windows PCs that had BitLocker included in their operating systems were actively employing encryption.
To come up with its conclusions, OPSWAT analyzed more than 35,000 reports from users of its OESIS Framework manageability solution. The reports were submitted between July 1 and August 15, 2010.
Microsoft includes BitLocker with six operating configurations, including the Ultimate and Enterprise versions of Windows Vista and Windows 7, as well as Windows Server 2008 and Windows Server 2008 R2.
There are a variety of reasons users weren’t using already-installed encryption tool, OPSWAT Marketing Manager Jeff Garon said. They included lack of education about encryption benefits, lack of a corporate policy requiring encryption, fear of decreased system performance, and compatibility issues with disk encryption software or encrypted data and network devices such as SSL VPN.
The few users who were actively encrypting disk probably included particularly well-informed power users, people in regulated industries such as healthcare or those using company networks that require it.
“Our research also found a higher percentage of encryption usage for mobile devices such as laptops and netbooks,” Garon said. “This can most likely be attributed to these devices having a higher rate of theft, therefore having more need for encrypted data.”
Garon said users who weren’t encrypting risked potential public relations and compliance problems should sensitive data such as Social Security numbers, credit card information and medical records be exposed.
CIOs who would like to avoid these risks can take a couple of moves, starting with educating workers on benefits of disk encryption and dangers of working without it.
“Second would be to create a corporate policy which requires disk encryption usage on storage devices which would contain sensitive data,” Garon added.
To make sure the policy is workable, he suggested looking for a hard disk encryption vendor certified to interoperate with the network access device being employed.
Cross-posted from CIOZone