Three years ago, when stories of confidential data getting into the public domain were all over the media we took the decision to deliver all recovered data to our customers in an encrypted form and not only when the customer requested it. After evaluating various programmes we chose to use full disk encryption program TrueCrypt , as it was by far the simplest to incorporate into our processes and easiest to use for our customers. By encrypting the recovered data it was protected in the unlikely event that the media went missing in transit. This seemed to be an obvious step and expected that our customers would be delighted by the additional security measures we had put in place to protect their confidential data.
To our surprise feedback from customers was mixed as the reasons for encrypting data were not obvious to all. Reducing frustration and delay caused by the additional (albeit simple) steps required to access the recovered data, became important.
More than 3 years on we still occasionally have customers frustrated by the additional steps they need to complete to access their recovered data.
Would the alternative of just having password protection be a more acceptable alternative? It would give protection against all but the most persistent or knowledgeable hacker and solve the remaining few complaints we still get about receiving encrypted data.
Instead of accepting that the current business IT security measures are cast in stone we should continue to ask the questions and weigh up the risks against the inefficiencies and frustration introduced by such security measures.
What do you think? Leave your feedback to this post.