The ninth edition of one of the longest-running and most comprehensive studies of encryption strategies and practices, the 2013 Global Encryption Trends Study, conducted by Ponemon Institute for Thales e-Security, finds progress and growth in implementation, and also where some of the cracks are.
This year’s survey included for the first time respondents from the Russian Federation, and almost 5,000 participants from eight countries contributed.
Key findings include:
The primary driver for use of encryption is now lessening the impact of data breaches. This goal is a shift from previous years, in which the protection of a company’s brand or reputation was paramount. As well, many companies indicate that they recognize a relationship between encryption and a lessened need for notification requirements should a breach occur. When asked about an obligation to notify in the case of a personal information breach, the average response that notification would be required was 37 percent for data that had been unencrypted, and 20 percent for data that had been encrypted.
Food for thought: For U.S. respondents, only 61 percent indicated that notification would be required if the data were unencrypted.
Accidental data exposure through employee actions is the biggest fear among respondents; legal and law enforcement requirements came in second. Outside hackers and malicious insider action are considered lesser threats.
And the biggest challenges identified:
Discovery of data at risk. Sixty-one percent of respondents named this as one of their top two challenges.
Correct deployment of encryption technology. Fifty percent of respondents named this as one of their top two challenges.
Addressing that first challenge, discovering data at risk, will be unique to each organization, and will vary wildly in success rate, I’d venture to say, given the increasingly scattered nature of data storage.
As far as the second challenge, the survey identified key management as a major issue. While the results go into some detail on specific approaches to key management that relate to the sponsor’s area of expertise, on a policy note, it is interesting to observe that three-fourths of respondents said key management is a “distinct discipline” within their organization, and almost as many say they do not apply dedicated staff or tools to the work. I think we may be onto some very easily improved metrics right there. Finding budget to support encryption policy was generally rated as a minor challenge, so perhaps next year’s numbers will be drastically different on this topic.
Also trending: greater influence among business leaders on encryption policy. This change is parallel to what’s happening in other areas, says the report: “We posit that the rising influence of business leaders reflects a general increase in consumer concerns over data privacy and the importance of demonstrating compliance to privacy and data protection mandates. It is also probable that the rise of employee owned devices or BYOD and the general consumerization of IT has had an effect. It is interesting to note that the influence of the security function on encryption strategy has been relatively constant (flat line) over the past [nine] years.”