In today's world of mobile workers, teleworkers, thumb drives, BlackBerries and social-networking sites, IT executives can't worry about devices - they need to focus on protecting data wherever it is.

The obvious place to start - considering that an estimated 5,000 laptops are stolen or lost each year - is the laptop hard drive: It needs encryption. (Read a column about the Drive of shame.)

Software vendors and such open source projects as TrueCrypt offer whole disk encryption across all operating systems, and Microsoft offers disk encryption in Vista, so IT executives have no excuse for not encrypting laptop data. In addition, such hardware vendors as Fujitsu, Hitachi and Seagate Technology offer hardware-based disk encryption.

Another trouble spot is e-mail. A variety of e-mail encryption methods are available, but all of them run into the same problem - they require the recipient of the encrypted e-mail to go to a secure server and enter some form of identification before they can gain access to the decrypted e-mail. For most people, this is a nuisance that rises to the level of a deal-breaker.

Another way to approach e-mail security is through data-loss prevention. DLP tools scan outgoing e-mails for such information as Social Security numbers, sensitive keywords or other possible breaches. Then they flag the offending e-mail. Companies dictate how offending e-mails are handled: They can be returned to the sender, bounced to an IT manager or encrypted.

DLP products, however, can be difficult to get right. That's because companies have to hammer out policies for determining which types of data need watching, what happens when an e-mail is flagged, and whether the individual user should be required to decide whether to encrypt specific e-mails or types of e-mails. For example, the CIO might not appreciate it when he sends an e-mail to the CFO and it gets flagged, bounced back or held up.

Other potential problem areas - everything from thumb drives to smartphones - abound. Nevertheless, vendors today are offering encrypted USB drives and business phones with encryption features. IT executives need to make data security a requirement every step of the way.

Source:http://www.networkworld.com