[ISN] Encryption: A nice idea that few want to implement?

InfoSec News isn at c4i.org
Tue Dec 27 08:16:19 UTC 2005 

http://www.computerworld.com/securitytopics/security/story/0,10801,107280,00.html

Opinion by Larry Ponemon 
DECEMBER 22, 2005 
COMPUTERWORLD

Companies are not embracing encryption as a way to protect sensitive
data. According to Ponemon Institute's 2005 National Encryption
Survey, only 4.2% of companies responding to our survey say their
organizations have an enterprisewide encryption plan.

However, the study also reveals that encryption is viewed by many as
an important security tool that enhances the IT professionals' overall
sense of trust or comfort in data-protection efforts. The primary
reasons cited for not encrypting sensitive or confidential information
were concern about system performance (69%), complexity (44%) and cost
(25%). (See "Securing Card Data Isn't An Easy Sell." [1])

Sponsored by PGP Corp., this independent study was conducted to learn
what privacy and security professionals think about encryption and how
adequate they believed their organization's security programs are to
protect sensitive and confidential information.

Encryption is mostly used to protect sensitive or confidential
electronic documents when sending them to another system or location
(47%), according to our survey results. Only 31% of respondents
encrypt data on a device such as a server or laptop, and 24% encrypt
sensitive or confidential backup files or tapes before sending them to
off-site storage locations.

Given the number of security breaches that are being reported, it
seems that now might be a good time to look more closely at
encryption. Just this week, for example, tapes containing data on 2
million ABN Amro customers went missing, although the tapes were later
recovered (see Update: Missing ABN Amro tape with 2 million names
found [2]). And companies are starting to be held liable for not
safeguarding data. The Federal Trade Commission recently charged shoe
discounter DSW Inc. with failing to provide reasonable and appropriate
security for sensitive customer information, because the company
allegedly stored information in unencrypted files that could be
accessed easily using a commonly known user ID and password. DSW
recently settled with FTC over charges that its data-security failures
constituted an unfair practice under federal law, allowing hackers to
access credit card, debit card and checking account information of
more than 1.4 million consumers.


Who responded?

Our Web-based survey used two proprietary data sets composed of
privacy and information security professionals. Both require subjects
to opt in prior to making contact. All data was captured through
e-mail or letter invitation to a secure extranet Web site. The total
sampling frame included 6,298 individuals. Of these, more than 91%
were designated as information security specialists, and the remaining
9% were designated as information privacy specialists.

The total number of completed responses was 791, making a 13% response
rate. 81% of the final sample is male, and 19% is female. We found
that our subsample of privacy professionals is skewed toward female
subjects.


What we learned

Here are some of the most interesting findings from our study:

* Organizations that use encryption technology do so for the following
  reasons: electronic transmission of sensitive or confidential
  information (43%), electronic data on storage devices (30%),
  backup media (17%) and outbound e-mails (7%).

* The top reasons for encryption are to prevent data breaches (55%),
  to protect the company's brand or reputation that could result from
  a breach (40%), to comply with the Sarbanes-Oxley Act (29%) and to
  avoid having to notify customer or employees after a data breach
  occurs.

* Regulations that have proven most influential in deciding to use
  encryption include various state and emerging federal requirements
  on data security breach notification (57%), the Health Insurance
  Portability and Accountability Act (43%) and Sarbanes-Oxley (34%).

* The types of data considered most important to be encrypted for
  storage and/or transmission are business confidential documents
  (57%), records containing intellectual property (56%), sensitive
  customer information (56%), accounting and financial information
  (41%) and employee information (35%). Interestingly, all customer
  information and consumer information scored a low 8% and 6%,
  respectively.

* The top five types of personal information about a customer,
  consumer or employee that should be encrypted are health information
  (72%), sexual orientation (69%), Social Security number (67%),
  family members (66%) and work history (57%).

* The bottom five types of personal information about a customer,
  consumer or employee that should be encrypted are e-mail (10%), home
  location and telephone (6%), educational background (5%), interests
  and preferences (2%) and gender (1%).

Our research suggests that privacy and security professionals believe
encryption is important to safeguarding sensitive data. Concerns about
encryption negatively affecting system performance, ease of use and
cost can and should be addressed in order to achieve more security and
avoid a breach that can prove costly to a company's bottom line and
reputation.

For more information about the 2005 National Encryption Study, contact
research at ponemon.org.

Larry Ponemon is chairman of Ponemon Institute, a think tank dedicated
to ethical information management practices and research. He is an
adjunct professor of ethics and privacy at Carnegie Mellon
University's CIO Institute and is a CyLab faculty member. Ponemon can
be reached at larry at ponemon.org.

[1] http://www.computerworld.com/securitytopics/security/story/0,10801,107183,00.html
[2] http://www.computerworld.com/databasetopics/data/story/0,10801,107230,00.html

More information about the ISN mailing list