in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Encryption ROI: You Can Sometimes Calculate A True Return On Investment For Encryption...

...but I really wouldn't recommend it.  For one, it's highly illegal.  But, as far as I can see, it's the only way you can really calculate a return on investment (ROI) when it comes to deploying and installing encryption on laptop computers.  Other reasons for not engaging in it: it's illegal; you have to deal with malware; you're scum if you do this; and it's illegal.  Did I mention it's illegal?

First, Define ROI

ROI.  These three simple letters have an unusual impact in business decision-making.  There's no shortage of efficiency experts in the business world, and everyone seems to be in agreement: you can only maximize profitability if you maximize efficiency.  Since a business concern's objective is to make money, everyone is looking to maximize their return on investment on every aspect of their business.  "What's the ROI on that particular proposal?" they ask.

The thing is, ROI only applies to assets, which is why sometimes ROI is known as ROA, return on assets.  One really shouldn't ask for an ROI for something that's not asset; it just doesn’t make sense.  For example, your janitors are not assets, no matter how well they maintain your offices, because they don't make you money.  That is, they're not an asset in the accounting sense and thus ROI/ROA cannot be calculated for them.

This is also true for office furniture, the kitchen utilities in the break room, the shredder in the corner, and the toner cartridge in your printer, among other things.

Likewise, encryption software is also not an asset, at least not in the accounting sense.  And yet when IT departments try to justify their need for the use of laptop encryption and other types of data security solutions, one of the things they are tasked with is to figure out the ROI.  If the "ROI" is not up to snuff, the proposals for certain types of information solutions are quashed.

I repeat, encryption cannot give you an ROI because it's not a money maker.  There's always exceptions, of course.

Ransomware

It sounds like a non-sequitur, but bear with me: according to ibtimes.co.uk, a band of hackers made millions of dollars in 100 days using encryption (note: a little note on the math further below).  Talk about ROI, eh?

How did they do this?  The hackers distribute a particular brand of malware known as Cryptolocker.  The malware gets downloaded to a person's computer and encrypts the hard drive.  It will only be unencrypted if the owner of the computer pays a ransom.  The cost?  $300.  If the ransom is not paid within 72 hours, the encryption key is deleted, making impossible to recover the data.  Ever.

Well, not ever; that's a little dramatic.  But it's going to take a while, ranging anywhere from centuries to millennia, if the hackers did it right.

Of course, not all pay the ransom.  According to estimates, a minimum of 0.4% of people hit by the malware do pony up the cash.  Another estimate puts the number of affected machines between 200,000 and 250,000.  Based on these figures, the folk over at ibtimes.com conservatively estimate that the hacker crew made $3,000,000 since the malware's release, in September of this year.

(Well, they initially calculated $3 million based on their estimate parameters.  I see that it's been changed to $300,000, which is the correct figure...)

Anyhow, let's return to the subject at hand, shall we?  Can we calculate an ROI in this case?  Yes.  The encryption is an instrumental part for convincing people to send in money.  You could say it's the enforcing element.  The ROI is the money the hackers made ($300 k) divided by how much it has cost the hackers to run their operations.

But, aside from pulling off a scam like the above, you're going to have problems calculating an ROI for encryption.  Honest businesses can only calculate an ROI if their laptops are stolen.  Even then, it's a theoretical exercise, since the use of encryption tends to provide safe harbor from federal and state laws that govern sensitive private data.

Of course, when a laptop is not stolen, the ROI of encryption is zero (as it should be, seeing how encryption is not an asset in the accounting sense).

Related Articles and Sites:
http://www.ibtimes.co.uk/cryptolocker-criminals-earn-30-million-100-days-1429607

 

<Previous Next>

BYOD Full Encryption: Because Sensitive Data Will Drift To Where You Least Expect It

HIPAA BA Laptop Security: Accretive Settles With FTC Over Privacy Failure

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.