Full Disk Encryption Is Better When Used Expeditiously

Two banks end up using hard drive encryption to secure data, but their approaches are different. So are their successes with the technology.

Bank of Ireland customers, nearly 10,000 of them, have had their information stolen. Between June and October of last year, four laptops were stolen from the bank’s life assurance division. The information breach included data on personal pension plan details, dates of birth, addresses, and bank account details. Whole disk encryption solutions like AlertBoot were not featured in the stolen laptops.

However, the bank must have realized at some point that full disk encryption is a convenient way of securing the data on their computers: the bank is in the process of encrypting all 5000 of them, which will take about two weeks.

This certainly pales in comparison to how the other type of bank in Ireland handled a similar situation earlier this year. In February, an Irish blood bank had reported that almost 175,000 people could have been affected by the theft of a laptop (actually, a mugging). But, chances are they weren’t and won’t be because the contents of the laptop in question were encrypted. Plus, the CD that went from Ireland all the way to New York with the data in question was encrypted as well (a stark contrast to how the UK government approaches things). The blood bank made sure that information was protected at every stage of the process.

What prompts certain companies that deal with sensitive data to do everything possible to decrease the probability of a data breach? And why do others dillydally? After all, sensitive data remains sensitive no matter who’s holding it. Plus, there is no guarantee that thieves, muggers, conmen, and other scum of the earth will place some kind of moratorium on stealing your digital assets as you try to figure out what to do—meaning, you don’t know when some guy’s gonna hit the back of your head and steal your stuff.

So, why wait? For example, why did the bank above wait nearly one year since the first instance of a data breach? It’s not as if encryption technologies have suddenly gotten tremendously better or cheaper; I’m pretty certain that last year’s offerings remain unchanged this year.

In fact, if shopping for a data protection solution this year, one may face more difficulties: There is now so much interest in data security that companies that have nothing to do with the security business are getting in on the act. Case in point: A couple of months ago, an external hard drive manufacturer debuted a hard drive with built-in encryption (RSA, if I recollect correctly). However, it turns out that RSA, one of the handful of encryption algorithms that are virtually impossible to crack, was relegated to a secondary function. What was really "protecting" the contents of the hard drive was an in house developed encryption algorithm that was easily broken. Although there is no way to verify it, my guess is they used that approach to save themselves some licensing fees. I imagine more people will try to enter the market, offering security products and concepts that are untested.

Encryption is one of those things that are better when used promptly. The sooner you encrypt your data, the sooner can it begin to protect your data.