Just two weeks ago, a non-profit healthcare provider was slapped with a $50,000 fine from the Department of Health & Human Services (HHS) for violating the HIPAA security rules, after losing an unencrypted laptop containing the sensitive personal information of 441 patients. This is the first HHS penalty for a data breach involving less than 500 victims.

For small healthcare providers, this signals an escalation in the consequence of a data breach, as organizations will be held accountable regardless of size. A fine of $50,000 is a lot of money for a small practice, especially a non-profit provider.

As we’ve discussed in the past, the average cost per record of a healthcare data breach is $240, which is 24 percent higher than average. As fines become more common, healthcare organizations of all sizes need to make sure patient data is managed appropriately.

We have seen dozens of businesses pop up to help users store information in the cloud, both personal and business. The inherent benefits to data storage in the cloud are obvious: virtually limitless storage, no required maintenance or upgrades, and little to no administration overhead required. But what about the risks? You simply can’t ignore the security of the data you store in the cloud, particularly as the heat of constant cyber attacks intensifies. How can businesses trust that their data is safe when stored in third-party data centers?

Several factors play into the business decision to use cloud storage solutions today. One of these concerns the actual physical location of the stored data. This is especially relevant in today’s world of increasing government and industry regulation. Closely related to this is the need for privacy, which is itself an impetus for stricter regulations. Cloud providers deliver varying levels of service level agreements regarding the security of the information they store, and this information may need to be produced as part of legal proceedings. And yet, businesses can no longer afford to ignore one of the most significant drivers of cloud adoption – cost. The cloud can make storage far more cost-effective and workers more productive.

Suppose you were being seated in a roller coaster car. You pull down your lap bar, and the guy sitting next to you refuses, saying he will just hold on while the car twists and turns and flips upside-down, because he finds the restraints uncomfortable. This is obviously foolish; the safety measures are there for a reason, and anyone who doesn’t use them is just asking for trouble.

Business security today is much like our hypothetical roller coaster, with its ups and downs that require protection for our intellectual property and other assets. And one of the most fundamental – yet widely neglected – security measures is the use of full disk encryption (FDE). Let’s look at some of the fundamental questions surrounding FDE, and why you should take another look at it.

Why aren’t more businesses taking advantage of it?

Over the past several weeks I’ve had the opportunity to present Symantec’s Internet Security Threat Reports to several of our customers.  It has been interesting to see the different reactions and feedback to various sections of the report, but one particular statistic in the report seems to consistently receive positive feedback and general agreement.

The statistic in question is from The Top Causes for Data Breach by Number of Incidents, 2011.  The specific statistic is that 34% of all incidents are due to Theft or Loss.   When I’ve discussed this particular statistic with customers, I have proposed that these incidents are entirely unnecessary.

At the root of nearly all of these types of incidents is a failure to properly implement, utilize, and enforce the judicious use of encryption on laptops, mobile devices, back tapes, USB storage, and other removable media.  If encryption is not in place on these devices and they are lost or stolen, most organizations have to assume that sensitive data was exposed and, depending on applicable laws and regulatory requirements report it as a data breach event.

The past year was a whirlwind of high-profile data breaches. There were nearly 900 data breaches in 2011, more than the prior two years[i], with over 31 million records breached[ii]. And, as the number of reported breaches continued to rise, organizations still paid a hefty cost for data breaches, according to this year’s Cost of a Data Breach Study. The organizational cost of a data breach was $5.5 million last year, and the cost per lost or stolen record was $194.

Let’s dive into some of the more interesting findings from this year’s study.

Malicious Attacks Most Costly Breaches

Malicious or criminal attacks are causing almost as many breaches as negligent insiders. In 2011, negligence was the root cause of 39 percent of the data breaches, while malicious attacks caused 37 percent of data breaches (up 6 points from 2010). For the first time malicious attacks account for more than a third of breaches; they also remain the most costly type of breach at $222 per compromised record.

The Internet has grown to be one of the most important information and business conduits the world has ever seen.  While it’s brought us amazing, new capabilities over the past 15 years or so, the Internet comes with its downside.  Much like the days when America was stretching itself from the east to the west, the “wild west” was a ripe playground for “bad” people. The same goes for the Internet.

It is a double-edged sword. We have amazing capabilities, but also a perfect landscape for lawlessness.  Hackers and cybercriminals have taken note. Today, they leverage the Internet to target specific individuals or groups of individuals at specific companies, get them to react to an email message thereby directing them to an attacker’s site and silently download malware to begin the process of gaining access and stealing data or IP.  What’s more, they’re automating their attacks. Sophisticated attackers are leveraging the power of scripting tools and computing power to call together vast amounts of computers to aide in perpetrating automated attacks.

IT is constantly adapting to new realities spurred by the types of technologies that people are using and bringing into the enterprise environment. One of the most disruptive technologies of late has been iOS devices. These devices are massively popular, and for good reason. Whether you’re a vice president keeping up on the latest sales reports mid-flight via their iPad or a physician accessing medical reports while meeting with his patient, iOS devices can improve productivity.

Platforms such as iOS have been designed from the ground up to be more secure—they raise the bar by leveraging techniques such as application isolation, provenance, device encryption, and permission-based access control. However, these devices were designed for consumers and, as such, security has been traded off for usability to varying degrees. It’s this usability that makes them so popular among consumers.

It seems that no matter where you are, you’re paying more for data breach these days. The Ponemon Institute, together with Symantec, released results of the second annual 2010 Global Cost of a Data Breach report today. The average cost of a data breach has now reached $4 million, up 18 percent from 2009, and the average cost per compromised record jumped 10 percent to $156. Costs still vary between regions. The United States had the highest cost per compromised record at $214, followed by Germany at $191, France at $136, Australia at $123 and the United Kingdom at $114 (a whopping $100 less than the United States).

But enough with the numbers, the interesting stuff is what’s behind the rising global cost of a data breach. It’s certainly true that companies face intense pressure to improve data security. In 2010, there was no shortage of high-profile data breach incidents making headlines in the global media. High-profile data breaches really aren’t anything new—though their probably getting more attention than in years past. What has continued to evolve is regulation.

Take a minute if you will and consider the following scenario. It’s likely a familiar one; just do a quick Internet search of data breaches and it will pop up again and again and again.

Company XYZ has a security policy that mandates the use of encrypted USB storage and issues the appropriate devices to its users. However, the company still finds itself at risk from a data breach because users continue to use unencrypted portable storage.

I’d bet that the CEO of this company, and every company dealing with such a data breach, was caught by surprise. After all, they had a security policy in place and they issued encrypted devices to their staff, yet still there’s an incident of data loss that they must deal with.

There’s little question that enterprises and consumers are facing increased threats from cybercriminals. It seems that every day, we are hearing about another government entity or large business being hacked and losing files in more insidious ways.

Encryption has been the standard technology for decades to protect data wherever it is – in motion, in use and in storage. For years, 1024-bit encryption has been popular to protect sensitive commercial and government data. Given the constant advancements in computing power, however, it’s a given that encryption that is good enough today will not be good enough down the road.

In anticipation of this need for ever-greater security, the National Institute of Standards and Technology (NIST) has mandated the adoption of 2048-bit encryption by the end of 2013. This announcement, however, does not mean that 1024-bit encryption is no longer sufficient today. The fact remains that 1024-bit encryption has never been cracked – and it would take millions of computers and a couple years to break just one code at that level.