The research also revealed the reasons organizations choose to encrypt laptop and desktop computers in the first place. Across all four countries studied, and with respondents naming their top two reasons why data is encrypted on systems in their organizations, compliance with self-regulatory programs (32%) and national data protection laws (30%) came out on top. Following were:
• 25%: Minimizing exposure resulting from lost computers
• 23%: Avoiding harm to customers resulting from data loss
• 20%: Improving security posture
• 18%: Minimizing the cost of a data breach
• 17%: Complying with vendor/business partner agreements
• 10%: Minimizing the effect of cyberattacks
Whatever the cost or cost benefit, and whether free or commercial products are used, the Electronic Frontier Foundation is encouraging the use of FDE for protecting data on mobile devices. "Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key," said the nonprofit advocacy group. "Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer. Fortunately, modern computer systems come with comparatively easy full-disk encryption tools that let you encrypt the contents of your hard drive with a passphrase that will be required when you start your computer. Using these tools is the most fundamental security precaution for computer users who have confidential information on their hard drives and are concerned about losing control over their computers."
Likewise, Aberdeen IT security research fellow Derek Brink recommended that organizations "do something." In the report "Endpoint Security: Hardware Roots of Trust," which examines the increasing vulnerabilities in software and how hardware can be used to mitigate risk, Brink writes, "Regardless of which approach to data protection is taken, all companies should be doing something to mitigate this risk."
Aberdeen research has shown that between the models of encrypting only specific files or folders and the "brute force" of encrypting everything on the endpoint, the general trend is toward full-disk encryption and, increasingly, self-encrypting drives. SEDs include a circuit built into the disk drive controller chip that encrypts all data automatically.
Brink adds that any type of encryption should be integrated with existing processes, including identity management and helpdesk processes, backup and recovery, patch management and end-user training. "The extent to which endpoint encryption can be made systematic and integral to these types of processes will be the biggest contributor to success, particularly on large-scale rollouts."
Follow Deb Donston-Miller on Twitter at @debdonston.