Why are enterprises using encryption? What encryption applications are in use? How are organizations planning for encryption?
Those are just a few of the questions that the Ponemon Institute, sponsored by PGP Corporation, sought to answer in its fourth annual survey, “U.S. Enterprise Encryption Trends.”
With the frequency and costs of data breaches on the rise, the survey of nearly 1,000 business and IT leaders concluded that “the need for encryption is more apparent than ever.”
This TechBrief summarizes the key findings of the survey.
Demonstrating that there has been no letup in data breaches, 85% of the organizations surveyed had at least one breach in the last 12 months, virtually unchanged from the 84% in 2008. Companies experiencing five or more breaches rose to 22% in 2009, up from 13% the year before.
For the second year in a row, organizations with no encryption strategy accounted for all the organizations that had five or more data breaches, which “proves once again that the implementation of an enterprise-wide encryption strategy does reduce the risk of a data breach.”
At the same time, the majority of organizations, 78%, have some type of encryption strategy, up from 74% in 2008 and 66% in 2007.
One new finding concerned the use of encryption on mobile devices. The survey found that more than 59% of respondents said it is very important or important to encrypt employees’ mobile devices, “a sign that organizations recognize that valuable data is more mobile than ever.”
The survey found that encryption is mainly used to mitigate data breaches and to comply with privacy and data protection regulations. Those who selected regulations as one of the top reasons to encrypt cited state privacy laws (such as those in California and Massachusetts), PCI requirements, and Sarbanes-Oxley as the biggest regulatory catalysts for encryption.
The survey found the percentage of organizations using a platform approach to managing encryption applications is increasing. A platform approach enables an organization to centrally manage and deploy multiple encryption applications — such as email, laptop, or backup tape encryption — with centralized policy enforcement, including key management. That stands in contrast to the silo approach of acquiring, deploying, and managing multiple and disparate encryption applications.
The use of a platform approach increased from 17% in 2008 to 25% in 2009, almost double the 13% who said they were using a platform in 2007. Of the respondents who use a platform approach, an overwhelming 87% said it “increases the effectiveness and efficiency of their IT security program.”
The primary benefits of a platform approach cited by respondents included reducing operational costs, eliminating redundant administrator tasks, and allowing additional encryption applications to be added as needed.
As the Ponemon Institute and PGP have shown, data loss is costly, damages a brand, and causes customer churn. To withstand the effects of a possible data breach, encryption is on the rise – for file servers, laptops, and now for mobile devices such as PDAs.
Increasingly, IT leaders are turning to a more strategic platform approach to manage their encryption applications. The need for consistent key and policy management as well as the need to comply with privacy regulations are driving the use of an encryption platform. For the third year in a row, the survey found that the organizations with the most effective security programs take a strategic approach to encryption.