What Security Professionals Think about Encryption

How important is encryption to an organization’s security? We recently completed the 2006 National Encryption Survey to find out what security and data privacy professionals think about using this technology to protect sensitive and confidential information.

According to our findings, encryption has not been embraced by organizations as part of a solution for protecting sensitive data from a security breach. In fact, only 4.2 percent of companies responding to our survey report that their organizations have an enterprisewide encryption plan.

Sponsored by the PGP Corporation, the study also focused on how recent data breaches might be influencing the use of encryption and how various state and federal security and privacy regulations might affect the adoption and implementation of encryption technologies. Other issues covered in our survey included:

• The functional area responsible for procuring and implementing encryption.
• Common uses and reasons for using encryption.
• The types of data elements most likely to be protected by encryption (such as Social Security numbers, credit cards and so forth).
• Respondents’ level of confidence respondents that encryption will safeguard personal and sensitive information.

Key Findings

Most common uses of encryption:

• Encryption is mostly used to protect sensitive or confidential electronic documents when sending them to another system or location (47 percent). Only 31 percent encrypt data on a computer storage device such as a server or laptop and 24 percent encrypt sensitive or confidential backup files or tapes before sending them to offsite storage locations.
• The primary reason among respondents for not encrypting sensitive or confidential information is concern about system performance (69 percent) followed by complexity (44 percent) and cost (25 percent).

Most common reasons for encryption:

• Organizations that do encrypt use the technology for electronic transmission of sensitive or confidential information (43 percent), electronic data on storage devices (30 percent), backup media (17 percent) and outbound e-mails (7 percent).
• The top reasons for encryption are to prevent data breaches (55 percent), to protect the company’s brand or reputation that could result from a breach (40 percent), to comply with Sarbanes-Oxley (29 percent) and to avoid having to notify customers or employees after a data breach occurs (12 percent).
• The regulations that have proven most influential in deciding to use encryption are: various state and emerging federal regulations on data security breach notification (57 percent), HIPAA (43 percent) and Sarbanes-Oxley (34 percent).
• The decision to procure encryption solutions is made by the organization’s technology team (50 percent), financial team (20 percent), business unit leaders (15 percent) and both finance and IT (14 percent).

Types of data encrypted:

• The most important types of data that should be encrypted for storage and/or transmission are: business confidential documents (57 percent), records containing intellectual property (56 percent), only sensitive customer information (56 percent), accounting and financial information (41 percent) and employee information (35 percent). Interesting to note that customer and consumer information scored a low 8 percent and 6 percent, respectively.
• The top five types of personal information about a customer, consumer or employee that should be encrypted are health information (72 percent), sexual orientation (69 percent), Social Security number (67 percent), family members (66 percent) and work history (57 percent).
• The bottom five types of personal information about a customer, consumer or employee that should be encrypted are: e-mail addresses (10 percent), home location and telephone (6 percent), educational background (5 percent), interests and preferences (2 percent) and gender (1 percent).

Encryption Increases Confidence in Security

We found that information security and privacy professionals have the most confidence in their organization’s security program when it uses encryption as part of an enterprisewide implementation plan.

To arrive at this finding, we asked respondents, “How confident are you that your organization’s security program is sufficient to protect or safeguard sensitive and confidential information?” The item is scored using a numeric adjective scale where respondents placed an X mark on a line ranging from range: 0 = no confidence to 1 = significant confidence.

Figure 1 shows the subjects’ overall percentage responses to this question.

As shown in Figure 1, the distribution peaks between .5 to .6 on the confidence scale. The grand mean for all 735 subjects is .561.

Table 1 provides the frequency of subjects according to how their organizations implement encryption technologies. As noted, only 31 respondents report that their companies have an encryption plan that is applied consistently across the enterprise. In contrast, 348 respondents state that their companies do not use encryption. According to 178 respondents, while they use encryption their companies do not have an implementation plan.

Table 1 also computes average confidence levels to each one of five encryption implementation categories. As shown, the highest confidence level (.82) is achieved for the group of respondents who report that their companies deploy encryption and have an enterprise implementation plan. The lowest confidence level (.51) occurs for respondents who report that their companies do not use encryption.

Table 1

*Note: Average confidence is based on a 0 to 1 scale to the question, “How confident are you that your organization’s security program is sufficient to protect or safeguard sensitive and confidential information?”

Figure 1 shows the distribution (percentage frequencies) of confidence ratings for two groups in Table 1—namely, subjects who deploy encryption and have an enterprise implementation plan (n=31) and subjects whose organizations do not use encryption (n=348). As suggested from individual responses, companies using encryption as part of an enterprise implementation plan appear to enjoy more confidence about their company’s security program that those who do not use encryption.

Conclusion

Our study indicates that encryption is viewed by many professionals as an important security tool—which enhances the information security and overall sense of trust or comfort in their organizational data protection efforts. One of the most interesting findings is that the use of encryption seems to be motivated more by the concern over prevention of a security breach and protection of the organization’s brand and reputation than by concerns over compliance. This suggests that organizations are realizing the importance of raising the bar in the area of data protection in order to maintain the trust and confidence of individuals who are providing their personal information.

Methodology

Our research was conducted independently. We developed our instrument with input from individuals with deep information security expertise and experience using encryption technologies in either government or business environments.

Our Web-based survey utilized two proprietary datasets composed of privacy and information security professionals. Both datasets require subjects to opt-in prior to making contact. All data was captured through e-mail or letter invitation to a secure extranet website. The total sampling frame included 6,298 individuals. Of these, over 91 percent were designated as information security specialists, and the remaining 9 percent were designated information privacy.

The total number of completed responses was 791, a 13 percent response rate. It is interesting to note that 81 percent of the final sample is male and 19 percent is female. Despite differences, this result is appears to be consistent with demographics from the information security sub-sample (which is predominantly male). In sharp contrast, our sub-sample of privacy professionals is skewed toward female subjects.

Sixty-five percent of the respondents were in the information security function in their organizations, 9 percent are just in privacy, and 26 percent are in both security and privacy functions. The primary person most report to is the chief information officer (36 percent) followed by the chief technology officer (30 percent). Ten percent report to the chief security officer and only 7 percent report to the chief privacy officer.

For more information about the 2006 National Encryption Study, please contact us at research@ponemon.org or call 800-887-3118.