Regulatory Compliance Drives Encryption

As data breaches continue to rise, U.S.-based companies are increasingly adopting encryption to secure their IT infrastructures, and their main reason is to comply with privacy and data protection regulations, a new study has found.

In the past, protecting data and mitigating data breaches drove encryption adoption. This year, for the first time, regulatory compliance became the top reason for implementing encryption technologies, according to the Ponemon Institute?s annual ?U.S. Enterprise Encryption Trends Report,? which is in its fifth year.

In 2010, 69 percent of the 964 IT and business leaders surveyed said compliance is their primary driver for encryption, an increase of five percentage points from the previous year. Mitigating data breaches fell to second place, with 63 percent saying it was a top driver for encryption adoption: a drop of four points from 2009 and eight points from 2008.

The results show the growing realization that compliance is important as companies try to avoid post-breach legal noncompliance penalties, according to the study, which was produced in conjunction with Symantec.

?Compliance is the most important reason for doing encryption, and the PCI [Payment Card Industry] Security Standard and the various state privacy laws have a lot to do with it,? says Larry Ponemon, chair and founder of the Ponemon Institute, a research firm in Traverse City, Mich.

The PCI standard, which requires credit card transaction security, is the fastest-growing reason for IT organizations to use encryption. The number of those surveyed who said PCI requirements constituted the most influential reason for using encryption has grown more than fourfold in the past four years, from 15 percent in 2007 to 64 percent in 2010. That?s because failure to comply will prevent organizations from doing online credit card transactions, the study says.

The Health Information Portability and Accountability Act (HIPAA), remains a key driver of encryption. However, other traditional drivers?the Sarbanes-Oxley and Graham-Leach-Bliley acts?have decreased in importance because companies have integrated compliance for those regulations into their standard operations, the study says.

Data Breaches on the Rise

Overall, the number of data breaches is increasing, and they are more severe. In 2010, 88 percent of respondents reported they had at least one breach during that year, a three-point increase from the previous year.

More specifically, 25 percent of companies reported that they had experienced five or more data breaches?a three-point increase from 2009. Forty percent of organizations surveyed had suffered two to five breaches, while 23 percent had only one breach. The results show that cyber-attackers continue to target unprotected data and mobile devices, the study says.

In other key findings, 95 percent of respondents said they were likely or very likely to experience the loss of sensitive or confidential information within the next 12 to 24 months. Of those surveyed, 93 percent consider data protection an important or very important part of their overall risk management efforts, a 13-point increase from 2009.

As a result, more IT organizations are implementing data encryption technology. In total, 84 percent of respondents have either fully executed or are in the process of implementing encryption. That?s a two-point increase from 2009 and a five-point increase from 2008.

Ponemon says he expects that encryption adoption will continue to increase in the coming years because more people are working remotely?either from home or on the road?and they access data on notebook computers and smartphones that could potentially house sensitive or confidential information.

Brian Tokuyoshi, a Symantec marketing manager who assisted with the study, agrees. ?They?re handling information about employees, and they could be carrying that information on a laptop,? he points out. ?You lose the laptop and it?s a data breach.?

Spending More on Encryption

Because protecting data is an ever-higher priority, IT organizations are spending more money on encryption technologies. Encryption is the fastest-growing earmark in IT budgets, meaning that the technology is strategic and receives dedicated annual funding. The percentage of IT organizations that earmark encryption has grown from 57 percent in 2008 to 69 percent in 2010.

The most popular encryption technologies in 2010 were file server encryption (62 percent adoption), full-disk encryption (59 percent) and database encryption (57 percent). As for other areas, desktop email encryption is used by 50 percent
of the respondents, while storage networking and USB flash drive encryption are used by 19 percent.

Voice over IP and mainframes are the least encrypted technologies. Only 9 percent of the respondents encrypt IP-based phone calls, and 8 percent encrypt mainframes.
Most organizations encrypt data at the end points, where it touches users, but protection for the administrative back end is emerging, the study?s authors wrote.