Why don’t firms encrypt?

On February 11, 2007, in Security, by

Thanks to Martin McKeay for the long list of security bloggers that were at the RSA conference last week… there’s more blogs in my RSS reader…

In listening to where a caller asked “Why don’t firms encrypt?”.. I’ll tell you why Martin… for two years I was Chairman of the Technology Committee of the California Society of CPAs.  During those two years we discussed the fact that no major tax accounting software built in encryption to the tax data housed on our networks.  Go to any CPA firm, open up the tax client database in notepad and look at the SSN number you can read there.  No encryption.  And why is this acceptable?  It’s not.  But I can’t now, nor could I then as Chairman, push my fellow CPAs to deploy something that the vendors themselves would not support in a network setting.  I can’t recommend that people go outside support boundaries of software they depend on if the risk of going outside that boundary is greater than the risk of the thing they are trying to mitigate.  I know that sentence doesn’t make the greatest grammar in the world, but there’s a risk to encryption just as high as the risk of not encrypting.

To Dan from Canada… we as businesses don’t encrypt because there’s the issue of Vendor support of encryption.  Yes, businesses is about risk and costs, but there’s a bigger picture here.  It’s about support as well.  Currently no US major tax accounting software vendor has gone on the record as supporting encryption, nor do they build it into the database.  Thus there’s a cost not only in not encrypting…but right now just as large of a cost of risk to my firm if I do encrypt.  If network encryption can’t be properly deployed, properly supported, properly implemented, that’s a risk and cost as well that I must evaluate.

That’s not to say that I’m not giving feedback and pushing them to better support encryption, just that I’ve looked at the risks on both sides and for some deployments encryption too has it’s risks. 

So much of security risk is not black and white and able to be computed, but it’s about opinion.  It’s about evaluating and accepting what we’ll consider “Ok”.  So many decisions in all sizes of businesses are done based on “warm fuzzy feelings” and not real and true risks.  That too is something we need to work on.  We need to fix real issues and not ones that look like they are issues when the risk is acceptable.

A year or two more… it might be longer than that if we can’t properly deploy encryption and ensure that the risk of loss of data from data at risk is balanced with the risk of loss from data improperly encrypted.

At home, in small businesses where we are lots more agile than large businesses.  Dan, you can do it because you have the processes in place and can accept the risk of lack of vendor support.  Get into a larger and larger business, and that’s not so black and white. 

Encryption costs.  We understand the risks…. sometimes we can’t because the current technology we are using won’t support the encryption overhead.  I’d love this to be a black and white “you must do this”…. the reality is I can’t.  There’s a secondary issue to all these laptop security incidents… do they need the data on them in the first place?  Perhaps encryption “and” a rethinking of how the network is set up is wise?


And Martin?  Later in the podcast you indicate that you aren’t going to touch Vista, not for 2007 or even 2008..that you may get it for your Laptop to check it out…. I’d challenge you to touch Vista sooner versus later Bitlocker alone.  If encryption is that important to the security industry… check it out.  Then go push for it in the “Vista Business” version rather than just a “Software Assurance” carrot or only in Ultimate for the normal firm.


Comments are closed.