The latest study by Thales into trends in encryption has been expanded to include the US, UK, Germany, France, Australia, Japan and Brazil; and takes the views of more than 4000 business and IT managers. Its purpose is to understand where, why and how encryption is used.
The use of encryption is growing. Extensive use within companies has steadily increased over the last seven years from 16% in 2005 to 25% in 2011. Unsurprisingly, perhaps, the most dramatic increase in the use of encryption has been on laptops.
In general, encryption is most likely to be used on backup files, internal networks, external communications and laptops. It is least likely to be used on smart phones, email and file servers. Where encryption is used, business is more concerned with its ease of use than its extent. For example, the two most important features are automated key management and a single control interface; while its least important features are format preserving encryption (FPE) and encryption of the widest range of possible applications.
Overall, the biggest single budget driver for the use of encryption is not specifically to protect customers, nor even to conform to legal and regulatory requirements – but to protect brand reputation. This does however vary between the different regions, with those countries with strong data protection laws – notably the US and the EU – being driven more by conformance. Throughout, however, non-IT managers are increasingly involved in their companies’ encryption policy. This may reflect both an emerging view that encryption should be seen as a company policy rather than just an IT policy, and the overall consumerization of IT.
These are the headline results. But some of the more fascinating and perhaps surprising results can be found in the detailed responses. For example, in a data protection priority ranking of 1 to 13, ‘identity and access management’ is given the highest priority (11.8). Staff training and certification is only rated at 8.6, while protecting against external penetration (that is, hackers) is given a priority of just 7.1. The lowest of all priorities are reserved for protecting data in outsourced or cloud environments (5.5) and protecting against viruses, malware and spyware infection (4.0). For the former, this may reflect that when data is outsourced, companies believe the associated risk is similarly outsourced; and for the latter, the danger of malware – a major cause of sensitive data exfiltration – is suffering from familiarity.