Data Protection and Encryption Trends

By Stephanie Jordan
in

Last month I had the opportunity to talk with John Dasher, director of product marketing for PGP Corporation about the company’s annual sponsorship of Ponemon Institute’s research focusing on identifying trends in encryption use, planning strategies, budgeting, and deployment methodologies in enterprise IT. 997 U.S.-based IT and business managers, analysts, and executives participated this year. Twenty-five percent of respondents were at the director level or higher.

Dasher says that this being the fourth year has been interesting and valuable to see the report, not just for what any single year has revealed, but also to see the trends over time.

“We can see how corporations are incorporating encryption into the IT fabric, what their attitudes are about it, and what they are doing,” comments Dasher. “There is usually a few things that we look at and go: ‘Hum, that’s interesting.’ It is good to see that there are some behavioral changes occurring across corporate America. One of the things that drives a lot of the behaviors in this country is breach notification law, and with 44 states now having some form of breach notification law, sometimes it does take a stick instead of a carrot. We are seeing evidence of that. When we did this survey the first year, it is safe to say that there was a lot of what I would call defensive or reactive behavior, kind of a kin to a homeowner purchasing a burglar alarm the day after their house gets robbed. In this year’s study there are a lot of interesting findings: one is, given the global economy and the news story on whether or not corporations are spending on IT. We saw between this year’s results and last year’s results that the use of encryption has stayed consistent over the last few years. Economic news not with standing, they are still making strategic investments in encryption, in full disk encryption especially.”

Dasher notes another interesting finding is the upswing in encryption and data protection efforts as part of overall risk management. “We see this as a nod to the strategic maturity of IT,” says Dasher. “Not being reactive and tying to mop up a spill but rather preventing the spill. We are up to over 58 percent acknowledging that data protection is very important, and 22 percent saying it’s important—so overall 80 percent of nearly 1,000 organizations are saying that data protection is an important part of their risk management strategy. We see this as being significant.”

A new category on the survey this year asked about encryption of data on mobile data-bearing devices used by employees. Dasher finds this survey result to be most interesting: over 60 percent of respondents listed encryption on mobile devices as important or very important.

“In the past it tended to be that some behaviors defied logic. We would see one hand saying: ‘I want to make sure laptops are protected’ but then they would give employees smartphones and not protect those. It is great to see that organizations are starting to say: ‘If it is a mobile device, whether a laptop or smartphone, let’s make sure it gets protected.’ This shows more maturity in the views and the strategies that organizations are rolling out.”

The survey also revealed that more than 70 percent of respondent organizations have a fully executed or just launched data encryption strategy. This is up from 74 percent in 2008 and from 66 percent in 2007. Does this mean that data breaches are going down as a result of increased measures? It is hard to say, because 73 percent of survey participants had a breach in the last 12 months and that is up from 60 percent in the last study.

“Here’s the shocker,” reveals Dasher, “of that group over 20 percent had more than five in the last year. Data breaches continue to be a problem. It is interesting that not only are data breaches going up, but the number of organizations over the last year who have had more than one is going up at a fairly alarming rate.”

But Dasher believes that this does not necessarily mean companies are not being careful. “I think that it is less a function of them being irresponsible and more a function of knowing what to look for and having tools in place that are monitoring. I would not scream that corporations are irresponsible, it is actually the opposite. As organizations get more mature and start putting security measures in place to make sure that data is protected, doesn’t get lost, and that they have an awareness of what is going on in their organization, I would expect to see breaches go up. Not because more of them are happening or more is being stolen, but because organizations are more aware what’s happening.”

For more on Ponemon Institute Encryption Reports over the last few years visit:
http://www.encryptionreports.com/

Published August 5, 2009