The survey of 505 auditors found that only 32% believe that their organizations are proactively managing privacy and data protection risks. In addition, 60% of the auditors said that the organizations they audit do not believe that compliance improves their data security.
Richard Moulds, vice president of product strategy at Thales e-Security, told Infosecurity that there is a high level of skepticism among auditors about organizations' measures to secure data. The auditors felt that companies were implementing security measures “simply to check boxes rather than to give them a high level of security”, he said.
A full 51% of auditors surveyed said that on average more than half of the audits they have conducted had serious deficiencies or have failed data security compliance requirements.
To protect data assets, 71% of auditors believe that encryption is the best method. The auditors contended that the best way "to protect assets internally is by using encryption at some point in the organization”, Moulds said.
“Companies have not often deployed encryption within their business because they believed that people inside the organization were trustworthy. The auditors are saying that is no longer true. Organizations are so fragmented these days, you can’t necessarily trust staff, particularly if you think about branching out to cloud-based services”, Moulds said.
Encryption – rather than tokenization, suppression or masking – is viewed by auditors as the best technology for securing databases, data in storage, data in applications and data at point of capture.
The survey found auditors prefer encryption over tokenization to secure data in a database (54% encryption, 15% tokenization) and encryption (55%) over tokenization (17%) to secure data in storage.
Encryption is particularly useful in securing mobile devices, data being transferred over public networks, and databases and storage, according to the survey. “This is interesting because databases and data storage are inside the data center, they are traditionally managed by your trusted staff, and they are behind levels of protection, and yet encryption is viewed as important to secure these assets”, Moulds observed.