Encryption Key to Data Security
U.S.-based companies are increasingly adopting encryption technology, not just to secure data but to satisfy privacy and data protection regulations.
In the past, mitigating data breaches and protecting data itself drove encryption adoption, but this year for the first time regulatory compliance became the top reason for implementing encryption technologies, according to the Ponemon Institute’s annual U.S. Enterprise Encryption Trends report, which is in its fifth year.
In 2010, 69 percent of the 964 IT and business leaders surveyed said compliance was their primary driver for encryption, a 5 point increase from last year. Mitigating data breaches falls to second place with 63 percent saying it was a top driver for encryption adoption. That’s a drop of 4 points from 2009 and 8 points from 2008. The results show a growing acceptance of the importance of compliance as companies try to avoid post-breach legal non-compliance penalties, according to the study released in mid-November and produced in conjunction with Symantec.
“Compliance is the most important reason for doing encryption and the PCI (Payment Card Industry) Security Standard and the various state privacy laws has a lot to do with it,” says Larry Ponemon, chair and founder of the Ponemon Institute, a research firm in Traverse City, Mich.
The PCI standard, which requires credit card transaction security, is the fastest growing reason for IT organizations to use encryption. The number of those surveyed who said PCI requirements was the most influential reason for using encryption has grown more than four-fold in the past four years, from 15 percent in 2007 to 64 percent in 2010, as failure to comply will prevent organizations from doing online credit card transactions, the study says.
The Health Information Portability & Accountability Act
(HIPAA), remains a key driver, but other traditional drivers -- the Sarbanes-Oxley
and Graham-Leach-Bliley acts -- have decreased in importance because companies
have integrated compliance for those regulations into their standard
operations, the study says.
Data breaches on the rise
Overall, the number of data breaches is increasing and those breaches are more severe. In 2010, 88 percent of respondents reported they had at least one breach in 2010, a 3 point increase from the previous year.
More specifically, 25 percent of companies reported that they experienced five or more data breaches, a 3 point increase from 2009. Forty percent of companies suffered two to five breaches, while 23 percent only had one breach. The results show that cyber-attackers continue to target unprotected data and mobile devices, the study says.
Encryption a higher priority
In other key findings, 95 percent of respondents said they were likely or were very likely to experience the loss of sensitive or confidential information within the next 12 to 24 months.
Of those surveyed, 93 percent consider data protection an important or very important part of their overall risk management efforts, a 13 point increase from 2009.
As a result, more IT organizations are implementing data encryption technology. In total, 84 percent of respondents have either fully executed or are in the process of implementing encryption, up 2 points from last year and up 5 points from 2008.
Ponemon says he expects encryption adoption will continue to increase in the coming years because more people work remotely, either from home or on the road, and they have to access data on their notebook computers and smart phones, which potentially could house sensitive or confidential information.
Because protecting data is a higher priority, IT organizations are spending more money on encryption technologies. Encryption is the fastest growing “earmark” in IT budgets, meaning the technology is strategic and receives dedicated annual funding. The percentage of those earmarking encryption has grown from 57 percent in 2008 to 69 percent in 2010.
The most popular encryption technologies in 2010 are file server encryption with 62 percent adoption, full disk encryption (59 percent) and database encryption (57 percent). As for other areas, desktop email encryption is used by 50 percent, while storage networking and USB flash drive encryption are used by 19 percent. Voice-over-IP and mainframes are encrypted the least, with only 9 percent encrypting IP-based phone calls and 8 percent encrypting mainframes.
Most organizations do encryption at the end points, where it touches users, while protecting the administrative back-end is still emerging, the study’s authors wrote.