Thursday, December 6, 2012

To encrypt or not to encrypt, that is the question

In my last post I wrote about the South Carolina breach and this attack has now made it's way to even vernerable publications like the Economist.

The interesting question here is when does encryption of PII or PHI at rest go from "advanced technology that really goes above and beyond" to "industry standard"?

If you look at PII or PHI on laptops or other physical devices encryption has been standard for close to ten years now. Very few organizations allows their employees to have sensitive data in clear text today. The main reason for that are simple economics. It is much cheaper to pay for license for encryption software plus some extra juice in the laptops than having to shell out for identity theft protection. In any organization of significant size theft or misplacement of laptops is simply something that occurs on a monthly or even weekly basis. The other reasons is that it embarrassing and potentially career limiting for a CIO to have to explain why they lost the data when protection simply was easily and cheaply available.

Are we getting to the point where the corporate networks simply are considered being breachable just like laptops are "stealable"? Will encryption continue to be perceived as the silver bullet that automatically provides safe harbor for the information?

I am the first to admit that I really don't have any strong answers to these questions.