Fragmented encryption deployment increases firms' risks

Risks from fragmented encryption include a lack of centralized control of access to sensitive information and disruption of processes such as e-discovery and compliance monitoring, according to the survey of 1,575 organizations from 37 countries.

The survey found that the inability to access important business information due to fragmented encryption deployment and poor key management is costing each organization an average of $124,965 per year. The most common costs include inability to meet compliance requests, inability to respond to e-discovery requests, and inability to access important business information.

Forty-eight percent of enterprises increased their use of encryption over the past two years. The respondents state that almost half of their data is now encrypted at some point in its lifecycle. The typical organization reports they have five different encryption solutions deployed.

“The use of encryption is increasing rapidly, which you might expect with the combination of regulation requiring encryption and concerns about threats”, said Tim Matthews, senior director of product marketing at Symantec. “The issue though is that the way people are actually implementing encryption has caused a fragmentation”, he told Infosecurity.

According to the survey, one-third of respondents said unapproved encryption deployment is happening on a somewhat to extremely frequent basis. Because these projects are not necessarily following the company's best practices, 52% of organizations have experienced serious issues with encryption keys including lost keys (34%) and key failure (32%). In addition, 26% have had former employees who have refused to return keys.

Furthermore, organizations are not very confident in their ability to manage encryption keys. Forty percent are less than somewhat confident they can retrieve keys, and 39% are less than somewhat confident they can protect access to business information from disgruntled employees.

“Key management can sound mundate to some, but this is really like disaster recovery. You have to have a system in place to manage the keys for your organizaiton”, he said.

On the positive side, Matthews said that “there is a growing understanding among organizations of the issues involved in data recoverability, key management, and the use of encryption.”

Symantec recommends that organizations take the following steps to improve their use of encryption: understand the lifecycle for encryption processes and anticipate challenges involved with protecting data; plan a data recovery process; build a plan for consistent enterprise-wide encryption and key management prior to deploying encryption; encrypt assets, starting with email, laptops and mobile devices, before experiencing a data breach; and anticipate the effects of mobility and cloud computing and the need to encrypt data stored outside of the enterprise.

What’s hot on Infosecurity Magazine?