Encryption Key to Data Security

U.S.-based companies areincreasingly adopting encryption technology, not just to secure data but to satisfy privacy and data protection regulations.

In the past, mitigating data breaches and protecting dataitself drove encryption adoption, but this year for the first time regulatorycompliance became the top reason for implementing encryption technologies,according to the Ponemon Institute?s annual U.S. Enterprise Encryption Trendsreport, which is in its fifth year.

In 2010, 69 percent of the 964 IT and business leaderssurveyed said compliance was their primary driver for encryption, a 5 pointincrease from last year. Mitigating data breaches falls to second place with 63percent saying it was a top driver for encryption adoption. That?s a drop of 4points from 2009 and 8 points from 2008. The results show a growingacceptance of the importance of compliance as companies try to avoid post-breachlegal non-compliance penalties, according to the study released in mid-Novemberand produced in conjunction with Symantec.

?Compliance is the most important reason for doingencryption and the PCI (Payment Card Industry) Security Standard and the variousstate privacy laws has a lot to do with it,? says Larry Ponemon, chair and founderof the Ponemon Institute, a research firm in Traverse City, Mich.

The PCI standard, which requires credit card transactionsecurity, is the fastest growing reason for IT organizations to use encryption.The number of those surveyed who said PCI requirements was the most influential reason forusing encryption has grown more than four-fold in the past four years, from 15percent in 2007 to 64 percent in 2010, as failure to comply willprevent organizations from doing online credit card transactions, the study says.

The Health Information Portability & Accountability Act(HIPAA), remains a key driver, but other traditional drivers — the Sarbanes-Oxleyand Graham-Leach-Bliley acts — have decreased in importance because companieshave integrated compliance for those regulations into their standardoperations, the study says.

Data breaches on the rise

Overall, the number of data breaches is increasing and those breaches aremore severe. In 2010, 88 percent of respondents reported they had at least onebreach in 2010, a 3 point increase from the previous year.

More specifically, 25 percent of companies reported thatthey experienced five or more data breaches, a 3 point increase from 2009.Forty percent of companies suffered two to five breaches, while 23 percent onlyhad one breach. The results show that cyber-attackers continue to targetunprotected data and mobile devices, the study says.

Encryption a higher priority

In other key findings, 95 percent of respondents said theywere likely or were very likely to experience the loss of sensitive orconfidential information within the next 12 to 24 months.

Of those surveyed, 93 percent consider data protection animportant or very important part of their overall risk management efforts, a 13point increase from 2009.

As a result, more IT organizations are implementing dataencryption technology. In total, 84 percent of respondents have either fullyexecuted or are in the process of implementing encryption, up 2 points from last year and up 5 points from 2008.

Ponemon says he expects encryption adoption will continue toincrease in the coming years because more people work remotely, either fromhome or on the road, and they have to access data on their notebook computersand smart phones, which potentially could house sensitive or confidential information.

Because protecting data is a higher priority, ITorganizations are spending more money on encryption technologies. Encryption isthe fastest growing ?earmark? in IT budgets, meaning the technology isstrategic and receives dedicated annual funding. The percentage of those earmarking encryptionhas grown from 57 percent in 2008 to 69 percent in 2010.

The most popular encryption technologies in 2010 are fileserver encryption with 62 percent adoption, full disk encryption (59 percent)and database encryption (57 percent). As for other areas, desktop emailencryption is used by 50 percent, while storage networking and USB flash driveencryption are used by 19 percent. Voice-over-IP and mainframes are encryptedthe least, with only 9 percent encrypting IP-based phone calls and 8 percentencrypting mainframes.

Most organizations do encryption at the end points, where ittouches users, while protecting the administrative back-end is still emerging,the study?s authors wrote.