Data breaches have for the first time become the main reason enterrises implement encryption technology, according to a study of global encryption trends by The Ponemon Institute on behalf of security firm Thales e-Security.
The firm found that 46 percent of the 4,800 enterprises and IT managers questioned from around the world said that the main reason they invested in encryption was that it could lessen the impact of breaches. This beat a desire to protect brand reputation on 44 percent and the 40 percent mentioning compliance as the motivation.
It’s perhaps obvious that encryption makes stolen data less useful to criminals but the growing importance placed on protecting data rather than devices shows how the technology has risen from being precautionary measure to that of a frontline defence.
Storing data without encryption, especially customer data, is increasingly unthinkable with the US the most emphatic on this for 59 percent of those questioned. Curiously, some countries fall short of this enthusiasm with France in last place on 35 percent.
The reason is mainly local legislation and compliance regimes, with 61 percent of the US sample reporting that unencrypted customer data would require breach notification as against 33 percent believing notification would be necessary if it was.
On the face of it this is a bit surprising; many US organisations appear to believe that breach notification would not be required simply because the data had been encrypted. It is not clear that this is true although the same divide appears in all countries looked at.
The study also uncovered the usual problems with deploying encryption as well as identifying precisely where the sensitive data resides for it to be applied.
The figures also show that encryption use has doubled since the report was first compiled in 2005, and was now present in 30 percent of organisations. Not surprisingly, financial services leads the way with 43 percent making use of it.
Arguably, encryption use should be much higher. A major barrier remains the complexity of key management. This can also be hugely expensive, or at least firms believe it will be.
“Encryption usage continues to be a clear indicator of a strong security posture but there appears to be emerging evidence that concerns over key management are becoming a barrier to its more widespread adoption,” said Ponemon Institute founder, Dr Larry Ponemon,
“For the first time in this study we drilled down into the issue of key management and found it emerging as a huge operational challenge. But questions are and should be asked about the broader topics of policy issues and choice of encryption algorithms – especially in the light of recent concerns over back doors, poorly implemented crypto systems and weak key management systems.”