Data security laws are now the main reason US companies take up encryption, for the first time surpassing even anxiety over data breaches, a new report by the Ponemon Institute on behalf of Symantec has found.
Reporting for its fourth year in 2010, US Enterprise Encryption Trends found that regulations were cited as the biggest factor for using encryption by 69 percent of the nearly 1,000 survey IT security respondents in larger companies and government.
This was up five points from 2009, when data breaches were the top motivation with a 67 percent rating, which fell in 2010 to 63 percent. Over three years, regulations have continued their slow rise up the motivation scale, while data breach worries have declined slightly.
Interestingly, this is despite the fact that data breaches appear to be getting more common and more severe over the same time period with a quarter of respondents saying they have had five or more incidents during 2010, up considerably over three years.
Exactly which threats are rated as the worst is hard to tell – almost all appear high up the scale of worry. Cyberattack, malicious attacks by employees, industrial espionage, and the insecurity of virtualisation technology were all cited by more than 90 percent of the IT pros questioned.
In technology terms, encryption still sits in the middle of the investment table, some way behind conventional perimeter security such as intrusion protection and antivirus software for PCs.
When companies do invest, most opt to encrypt file servers and databases, with full-disk encryption of the sort found on laptops also growing in popularity.
“There is evidence that encryption has become one of security’s pillars. It is becoming part of the security arsenal,” commented Dr. Larry Ponemon, whose organisation carried out the research. “By making the technology invisible to the user...it is very likely that the adoption rate will increase,” he said.
Massachusetts’ state privacy regulation had been a major spur to use encryption even beyond the state itself, with PCI compliance and HIPPA (Health Information Portability & Accountability Act) also being significant.
Encryption is often seen as a magic wand to lock up data but it introduces complexities that have to be dealt with by IT staff. Data can end up being encrypted in a ‘Russian doll’ scenario where one encrypted set of data is then backed up to another encrypted format before being archived using a third key.
According to Ponemon, there is also a larger and unquantifiable issue, namely that data was now being created faster than organisations could possibly encrypt it, which suggests the need for a new data security maxim along the lines of Moore’s Law to summarise this bleak possibility.
The Ponemon Institute has promised equivalent reports looking at encryption uptake in major EU countries for the near future.