Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, February 20, 2006

What Security Professionals Think about Encryption

How important is encryption to an organization’s security?  We recently completed the 2006 National Encryption Survey to find out what security and data privacy professionals think about using this technology to protect sensitive and confidential information.  According to our findings, encryption has not been embraced by organizations as part of a solution for protecting sensitive data from a security breach.  In fact, only 4.2 percent of companies responding to our survey report that their organizations have an enterprisewide encryption plan.

Key Findings

Most common uses of encryption: Encryption is mostly used to protect sensitive or confidential electronic documents when sending them to another system or location (47 percent).
Only 31 percent encrypt data on a computer storage device such as a server or laptop and 24 percent encrypt sensitive or confidential backup files or tapes before sending them to offsite storage locations.
The primary reason among respondents for not encrypting sensitive or confidential information is concern about system performance (69 percent) followed by complexity (44 percent) and cost (25 percent).

Sponsored by the PGP Corporation, the study also focused on how recent data breaches might be influencing the use of encryption and how various state and federal security and privacy regulations might affect the adoption and implementation of encryption technologies.  Other issues covered in thesurvey included: The functional area responsible for procuring and implementing encryption.

Common uses and reasons for using encryption.
The types of data elements most likely to be protected by encryption (such as Social Security numbers, credit cards and so forth).  Respondents’ level of confidence respondents that encryption will safeguard personal and sensitive information.

Types of data encrypted: The most important types of data that should be encrypted for storage and/or transmission are: business confidential documents (57 percent), records containing intellectual property (56 percent), only sensitive customer information (56 percent), accounting and financial information (41 percent) and employee information (35 percent).  Interesting to note that customer and consumer information scored a low 8 percent and 6 percent, respectively.

The top five types of personal information about a customer, consumer or employee that should be encrypted are health information (72 percent), sexual orientation (69 percent), Social Security number (67 percent), family members (66 percent) and work history (57 percent).

Encryption Increases Confidence in Security
The report found that information security and privacy professionals have the most confidence in their organization’s security program when it uses encryption as part of an enterprisewide implementation plan.

As shown, the highest confidence level (.82) is achieved for the group of respondents who report that their companies deploy encryption and have an enterprise implementation plan.

Freq Average Confidence Score* We have an overall encryption plan or strategy that is applied consistently across the entire enterprise.

The primary person most report to is the chief information officer (36 percent) followed by the chief technology officer (30 percent).

Posted on 02/20