Research

What Security Professionals Think about Encryption

In this, our first report from Dr. Larry Ponemon and the Ponemon Institute, results from a study show security professionals know what's good for them but don't embrace it.

By Larry Ponemon

February 24, 2006 — CSO — How important is encryption to an organization's security? We recently completed the 2006 National Encryption Survey to find out what security and data privacy professionals think about using this technology to protect sensitive and confidential information.

According to our findings, encryption has not been embraced by organizations as part of a solution for protecting sensitive data from a security breach. In fact, only 4.2 percent of companies responding to our survey report that their organizations have an enterprisewide encryption plan.

Sponsored by the PGP Corporation, the study also focused on how recent data breaches might be influencing the use of encryption and how various state and federal security and privacy regulations might affect the adoption and implementation of encryption technologies. Other issues covered in our survey included:

The functional area responsible for procuring and implementing encryption.
Common uses and reasons for using encryption.
The types of data elements most likely to be protected by encryption (such as Social Security numbers, credit cards and so forth).
Respondents' level of confidence respondents that encryption will safeguard personal and sensitive information.

Key Findings

Most common uses of encryption:

Encryption is mostly used to protect sensitive or confidential electronic documents when sending them to another system or location (47 percent). Only 31 percent encrypt data on a computer storage device such as a server or laptop and 24 percent encrypt sensitive or confidential backup files or tapes before sending them to offsite storage locations.
The primary reason among respondents for not encrypting sensitive or confidential information is concern about system performance (69 percent) followed by complexity (44 percent) and cost (25 percent).

Most common reasons for encryption:

Organizations that do encrypt use the technology for electronic transmission of sensitive or confidential information (43 percent), electronic data on storage devices (30 percent), backup media (17 percent) and outbound e-mails (7 percent).
The top reasons for encryption are to prevent data breaches (55 percent), to protect the company's brand or reputation that could result from a breach (40 percent), to comply with Sarbanes-Oxley (29 percent) and to avoid having to notify customers or employees after a data breach occurs (12 percent).
The regulations that have proven most influential in deciding to use encryption are: various state and emerging federal regulations on data security breach notification (57 percent), HIPAA (43 percent) and Sarbanes-Oxley (34 percent).
The decision to procure encryption solutions is made by the organization's technology team (50 percent), financial team (20 percent), business unit leaders (15 percent) and both finance and IT (14 percent).