The 2013 Global Encryption Trends Study released today has exposed the major challenges businesses still face in executing data encryption policy.
The report, based on independent research by the Ponemon Institute and sponsored by Thales, revealed that use of encryption continues to grow in response to consumer concerns, privacy compliance regulations and on-going cyber attacks.
More than 4,800 business and IT managers were surveyed in the US, UK, Germany, France, Australia, Japan, Brazil and Russia, examining global encryption trends and regional differences in encryption usage.
The results showed there has been a steady increase in the deployment of encryption solutions used by organisations over the past nine years, with 35% of organisations now having an encryption strategy applied consistently across the entire enterprise compared with 29% last year. Only 14% of organisations surveyed did not have any encryption strategy, compared with 22% last year.
For the first time, the primary driver for deploying encryption in most organisations was to lessen the impact of data breaches, whereas in previous years the primary concern was protecting the organisation’s brand or reputation.
Of those organisations that believed they had an obligation to disclose data breaches, nearly half believed that encrypting their data provides a safe harbour that avoids the need to disclose that the actual breach occurred.
The fastest growing reason as to why organisations were deploying encryption was to ensure they meet their commitments to their customers’ privacy, with 42% of organisations focussing on their customer’s interests rather than for their own benefit, which has increased by 5% compared with last year.
The number one perceived threat to the exposure of sensitive or confidential data remained employee mistakes, according to 27% of respondents. When employee mistakes are combined with accidental system or process malfunctions, concerns over inadvertent exposure outweigh concerns over actual malicious attacks by more than two-to-one, the report found.
Furthermore, forced disclosures triggered by e-discovery requests represented the second highest perceived threat to the loss of sensitive data.
When asked about where encryption is used, organisations ranked backup tapes and databases as most important followed by network encryption and laptop encryption. Cloud encryption had a relatively low ranking compared with other encryption use cases ranking outside the top 10.
The two biggest challenges facing organisations executing a data encryption policy were discovering where sensitive data actually resides, reported by 61% of respondents, and the ability to deploy encryption technology effectively, reported by 50% of respondents.
Key management was identified as a major issue with more than half of organisations surveyed rating the overall challenge associated with management of keys or certificates more than seven out of ten, and 30% of organisations rated the challenge at nine or ten.
Whilst three quarters of organisations identified key management as a formal discipline within their organisation, more than 70% of those organisations failed to allocate dedicated staff or tools to the task of managing keys.
“Encryption usage continues to be a clear indicator of a strong security posture but there appears to be emerging evidence that concerns over key management are becoming a barrier to its more widespread adoption,” said Dr Larry Ponemon, chairman and founder of The Ponemon Institute.
“For the first time in this study we drilled down into the issue of key management and found it emerging as a huge operational challenge. But questions are and should be asked about the broader topics of policy issues and choice of encryption algorithms – especially in the light of recent concerns over back doors, poorly implemented crypto systems and weak key management systems.”