Despite the increasing awareness of penalties and the damage that losing personal data can do to corporate reputations, network security executives are getting less certain that they can figure out if personal data has been compromised when corporate laptops are lost or stolen.
When TheInfoPro asked the security professionals in the middle of last year, 40% said they could not determine if personally identifiable information (PII) was lost in cases of laptops gone missing. Six months later, the number who could not determine if it was compromised had risen to 59%.
Are these security executives reducing their protections? Aware of more threats to the data? It's difficult to say, says Bill Trussell, managing director of TheInfoPro.
He notes that respondents could say they were able to determine if PII was compromised only if they had full disk encryption on all laptops, and his research indicates that only about a third of those asked encrypt all laptop hard drives. Those may be the ones who say they can determine whether PII has been compromised.
The study says that is just about a third of respondents say they encrypt none of their laptops, and in conversations with some of them Trussell says some have started then halted programs to encrypt laptops. "They say they've run into more reasons not to roll it out completely," he says. These could improve laptop performance hampered by encryption and management burden of encryption add-ons separate from operating systems.
Some respondents may be waiting to upgrade to Windows 7 with its encryption capabilities, he says. Anticipation of the same feature in Windows Vista was strong until the operating system actually rolled out. "Until they found problems, they were pretty excited about it," he says.