So I'm continuing to read the new report released by Absolute and the Ponemon Institute, and their survey seems to back up what I've felt for a long time: people don't really understand what disk encryption software does, even when they sign up for it. Consider the following result: Assuming their laptops are encrypted, 57 percent of business managers believe there is no chance or less than a 10 percent chance of having their sensitive information accessed if they should access an insecure wireless network. In contrast, only 27 percent of IT security practitioners are confident that there would be zero or less than a 10 percent chance of losing data when accessing an insecure wireless network. [my emphasis] What's jawdropping to me is that figure of 27% for IT security practitioners. Granted, this may be because of how the survey question is interpreted: Q11b. If you were accessing the Internet from an insecure wireless network, what do you think is the probability that someone else would be able to access your sensitive or confidential information assuming the laptop computer had an encryption solution? [my emphasis] I should point out that "laptops are encrypted" and "laptop computer had an encryption solution" can be interpreted differently. The former implies, at least to me, the use of a full disk encryption solution, whereas the latter could include disk encryption as well as file or folder encryption solutions. If all of your files or folders are encrypted, I can understand why some security professionals would think using an insecure wireless network wouldn't lead to a data breach: the information is encrypted no matter what. If someone intercepts an encrypted attachment because it's traveling through an unsecured network, the contents of that attachment are still secure.
So I'm continuing to read the new report released by Absolute and the Ponemon Institute, and their survey seems to back up what I've felt for a long time: people don't really understand what disk encryption software does, even when they sign up for it.
Consider the following result:
Assuming their laptops are encrypted, 57 percent of business managers believe there is no chance or less than a 10 percent chance of having their sensitive information accessed if they should access an insecure wireless network. In contrast, only 27 percent of IT security practitioners are confident that there would be zero or less than a 10 percent chance of losing data when accessing an insecure wireless network. [my emphasis]
What's jawdropping to me is that figure of 27% for IT security practitioners. Granted, this may be because of how the survey question is interpreted:
Q11b. If you were accessing the Internet from an insecure wireless network, what do you think is the probability that someone else would be able to access your sensitive or confidential information assuming the laptop computer had an encryption solution? [my emphasis]
I should point out that "laptops are encrypted" and "laptop computer had an encryption solution" can be interpreted differently. The former implies, at least to me, the use of a full disk encryption solution, whereas the latter could include disk encryption as well as file or folder encryption solutions.
If all of your files or folders are encrypted, I can understand why some security professionals would think using an insecure wireless network wouldn't lead to a data breach: the information is encrypted no matter what. If someone intercepts an encrypted attachment because it's traveling through an unsecured network, the contents of that attachment are still secure.
However, when it comes to an encryption solution like FDE, one can't assume his data will be protected when using insecure wireless networks. Consider this example using a more familiar product: the owner of a strongbox puts the key into the strongbox and opens it to work with the contents of the strongbox. In such a state, the strongbox cannot protect its contents until it's closed and locked again. Likewise with FDE: the disk with encryption is the strongbox, the data is the content of the strongbox, and the password is the key to the strongbox. As long as a user is working on an encrypted computer, the contents/data are vulnerable. Also, just like with the strongbox, if you copy data off a computer that employs full disk encryption--say, to an unprotected USB flashdrive or e-mailed to a co-worker--that data will not be encrypted any longer because it's not on your encrypted drive anymore. This is a crucial point to understand. FDE doesn't encrypt your data; it encrypts your hard drive. Since your data is saved to the protected hard drive, your data is protected as well...but only as long as it's on that drive. Again, e-mail it, and it won't be protected anymore. And, like I noted, FDE cannot protect your data while you're using the computer. In many instances, I use the strongbox as a metaphor, and people quickly understand what FDE solutions like AlertBoot can and cannot do when it comes to data protection.
However, when it comes to an encryption solution like FDE, one can't assume his data will be protected when using insecure wireless networks.
Consider this example using a more familiar product: the owner of a strongbox puts the key into the strongbox and opens it to work with the contents of the strongbox. In such a state, the strongbox cannot protect its contents until it's closed and locked again.
Likewise with FDE: the disk with encryption is the strongbox, the data is the content of the strongbox, and the password is the key to the strongbox. As long as a user is working on an encrypted computer, the contents/data are vulnerable.
Also, just like with the strongbox, if you copy data off a computer that employs full disk encryption--say, to an unprotected USB flashdrive or e-mailed to a co-worker--that data will not be encrypted any longer because it's not on your encrypted drive anymore. This is a crucial point to understand.
FDE doesn't encrypt your data; it encrypts your hard drive. Since your data is saved to the protected hard drive, your data is protected as well...but only as long as it's on that drive. Again, e-mail it, and it won't be protected anymore. And, like I noted, FDE cannot protect your data while you're using the computer.
In many instances, I use the strongbox as a metaphor, and people quickly understand what FDE solutions like AlertBoot can and cannot do when it comes to data protection.
Related Articles and Sites:http://www.absolute.com/resource_center/whitepapers/ponemon-human-factor