The 2009 annual study, UK Enterprise Encryption Trends study polling information security professionals at 615 companies and public sector organisations, also found that 12% of respondents had more than five data loss incidents over the last year compared to 3% the year before. Of these, only 43% were made public – Ponemon said “there was no legal or regulatory requirement to disclose the remaining 57% of incidents”.
The public sector saw the highest number of data loss with an average of 4.48 data breaches per organisation. Financial sector firms saw an average of 3.11 incidents, followed by the educational sector (2.47), healthcare and pharmaceutical firms (2.65) and professional services industry (2.52). On the other side of the scale with no reported breaches, were the entertainment, media and defence sectors.
Phillip Dunkelberger, president and CEO of PGP Corporation, said: “It’s clear that UK Organisations recognise the need to protect customer information and other valuable data assets, but while their intentions may be good, not all of them are doing everything it takes to make this a reality.
“This study underlines the critical importance of implementing an encryption strategy that encompasses all aspects of an organisation’s data, not just meet privacy or data security regulations but to also protect against brand damage and loss of customers.”
Lack of encryption policies
As perhaps expected, those seeing the highest leaves of data loss and breaches, were also the least likely to have introduced an effective, company-wide strategy for data encryption. None of those reporting more than five data breach incidents had an encryption strategy in place, whereas a third of those with no reported data breaches had enterprise-wide encryption policies and a further 36% having introduced a partial strategy to protect certain applications, departmental activities or data types.
Following recent reports of lost or stolen portable devices, this year’s study also included encryption of data on mobile devices. Just over half of respondents said encryption of data on mobile devices was ‘very important’, 34% believed it is only necessary to encrypt confidential data on mobile devices sometimes, and over a tenth thought it to be unimportant.
Despite a lack of organisation-wide enforcement of encryption policies, 57% of UK businesses said they are using some type of encryption solution, with the remaining 43% planning to implement encryption technologies.
Up one percentage point from last year, 14% or organisations use a single platform to deploy and manage encryption across multiple applications. All users said this improved the management of encryption keys and 90% said it raised the efficiency and effectiveness of their information security procedures. 59% also said they were confident a single platform for encryption would reduce operational costs associated with data protection.
Data protection regulation
Surprisingly, given the number of data breaches Infosecurity notes, 61% of respondents said data protection played and ‘important’ or ‘very important’ role in an organisation’s overall risk management efforts. Just under half (46%) said encryption helped them meet privacy commitments and 45% believed encryption was critical for protecting the company’s reputation.
The EU Privacy Directive was considered the most influential regulation impacting approaches to data encryption, followed by the Payment Card Industry (PCI-DSS) requirements and the UK Data Protection Directive.