The Human Factor in Laptop Encryption

The Human Factor in Laptop Encryption: US Study Sponsored by Absolute Software Independently conducted by Ponemon Institute LLC Publication Date: Dece mber 2008
Ponemon Institute© Private & Confidential Document
The Human Factor in Laptop Encryption: US Study Executive Summary by Dr. Larry Ponemon, December 2008 Encryption is one of the most important security tools in the defense of information assets. Ponemon Institute has conducted numerous studies on organizations' use of encryption to prevent the loss of sensitive and confidential information. These studies have shown that encryption can be an effective deterrent. However, our studies also show that in order to be effective, encryption requires organizations and users to take appropriate steps to make sure sensitive and confidential information is protected as much as possible. Ponemon Institute conducted this study sponsored by Absolute Software on The Human Factor in Laptop Encryption to understand employees' perceptions about ensuring that information assets entrusted to their care are effectively managed in encryption environments, especially the use of whole disk encryption on laptop computers. The study also was conducted in the United Kingdom and Canada. The results are published in separate reports. What we learned is that a high percentage of employees we surveyed in non-IT business functions (referred to as business managers in this report) are not taking such precautionary steps as using complex passwords, not sharing passwords, using a privacy shield, keeping their laptop physically safe when traveling or locking their laptop to protect sensitive and confidential data. Further, many respondents believe that encrypted solutions make it unnecessary to take other security measures. In contrast, their colleagues in corporate IT and IT security functions (referred to as IT security practitioners in this report) are diligent in taking all or most precautionary steps to safeguard the sensitive and confidential information on their laptops. They believe encryption is an important security tool, but believe it is critical to follow certain procedures to ensure that data is protected if a laptop is lost or stolen. The following are some of the most salient findings: ƒ Ninety-two percent of IT security practitioners report that someone in their organization has had a laptop lost or stolen and 71% report that it resulted in a data breach. Only 45% report that the organization was able to prove the contents were encrypted. ƒ Fifty-two percent of business managers surveyed strongly agree and agree that encryption stops cyber criminals from stealing data on laptops versus 46% of IT and IT security practitioners who strongly agree or agree. ƒ Fifty-seven percent of business managers surveyed record their encryption password on a private document such as a post-it note to jog their memory or share the key with other individuals. Virtually none of the IT security practitioners record their password on a private document or share it with another person. ƒ Fifty-six percent of business managers have disengaged their laptop's encryption solution and 48% admit this is in violation of their company's security policy. ƒ Fifty-nine percent of business managers sometimes or often leave their laptop with a stranger when traveling. We believe this research is particularly timely because previous studies conducted by Ponemon Institute have shown that the lost or stolen laptop is the number one cause of data loss. In this study we surveyed 720 IT security practitioners and 874 business managers from US-based organizations on the following topics related to their use of laptop encryption: ƒ The use of encryption tools to protect information contained on the laptop computers assigned to them by their employer. ƒ Perceptions IT security practitioners have about the use of encryption to protect information assets on their laptops. ƒ Perceptions business managers have about the use of encryption to protect information assets on their laptops.
Ponemon Institute© Private & Confidential Document Page 2
ƒ The procedures business managers follow or do not follow to safeguard the sensitive and confidential information on their laptops. Key Findings Following are the key findings of this survey research. Please note that most of the results are displayed in a bar chart format. The a... [download for more]