Why is Encryption not used more?

Earlier this year I wrote this piece questioning why use of encryption was still not widespread. If more businesses and agencies adopted encryption, there'd be far less data leakage.

Had Fisher Hargreaves Proctor employed encryption, the breach of their site would not have been so severe. Yet businesses continue to use and store unencrypted data as a matter of course. Why?


It's so easy

It's actually never been easier to employ encryption of some form. Users of Microsoft Windows 7 Ultimate may or may not be aware that the Operating System contains the ability to encrypt your harddrive. So long as your laptop/PC contains the necessary cryptographic hardware, you can implement full disk encryption at the click of a button.

Not to be left out, Linux users have also had this ability for quite some time. However, recent releases of several distributions (including Ubuntu) have made it incredibly easy to encrypt either the entire harddrive or the user's Home partition. It's no more complicated to implement than ticking a box to say that you do want the partition encrypted.

Gone are the days of having to have multiple GPG containers mounted via a loopback device. Users no longer need to battle with the intricacies of GnuPG on the CLI. Instead they can use GUI interfaces to set every single detail.

Those on older versions of Windows haven't been forgotten either. Full disk encryption is available through use of TrueCrypt, a free and Open Source software solution. Those desperate to part with some cash could opt instead for solutions from the likes of BitDefender.


Why Isn't it Used?

Clearly then, the accessibility of encryption software isn't an issue. Good encryption is freely available with corporate solutions available for those in business, yet still it isn't used nearly as widely as one might expect. Why not?

Could it be that users still think of encryption as a dark art? In days gone by, only true geeks took the time to battle with the various encryption solutions available. It may be that users are still under the impression that this is the case. If so, then wide publication of "The Dummies guide to.." may be sufficient to help stem the tide of serious data leaks.

Or, perhaps users don't recognise the importance of encryption? Given how much personal information is being published to social networking sites such as Facebook, it seems reasonable to assume that users don't necessarily understand the privacy implications inherent in our electronic world. Although most would never publish their financial information on the Internet, many don't seem to understand just how easy it is to make an electronic copy of any data stored on a PC. This lack of understanding leads to issues in the world of businesses because users tend to portray the same habits at work as they do at home.


Things have to change

The Information Commissioners Office (ICO) recently acquired the power to find companies up to £500,000 for failing to protect information covered by the Data Protection Act. Past history suggests, however, that punitive measures alone will not be sufficient. As data subjects, it is our responsibility to apply pressure to all those who hold data on us, they must begin taking reasonable measures to protect data that they hold.

The excuses of the past are no longer valid; encryption is widely and cheaply available, requires no technical knowledge and can be applied to any file or volume. Simply password protecting a file offers no security at all and encryption should be used instead.




For those who are interested, I've posted Documentation on How to encrypt your harddrive in Microsoft Windows.