The days when information security was someone else’s concern are long gone –all business leaders need to ensure their data is properly protected
In an increasingly digital world, information security and data privacy are critically important to the enterprise. According to a new report, the use of encryption to protect sensitive data is a strategic business issue – a far cry from when it was a niche technology and solely the concern of the IT department.
The 2011 Global Encryption Trends Study, an independent research report by the Ponemon Institute and sponsored by Thales, surveyed more than 4,000 businesses from around the world. The findings shed light on why companies use encryption – and where they are using it within their particular enterprise.
Historically, many organisations deployed encryption in isolated cases to counter specific threats – perhaps to protect company laptops, maybe data in storage systems, and almost certainly internet connections. In 2005, only 15 per cent of organisations surveyed had an over-arching encryption strategy, and many were motivated merely by compliance.
Today, more organisations have a formal encryption strategy as part of a wider data protection policy than those which do not. Not surprisingly, budgets are increasing and motivation shifting – with the protection of brand or reputation emerging as the primary driver.
So who is responsible for encryption? Six or seven years ago, the head of IT or security would usually be the person responsible for building an encryption strategy.
Nowadays, although IT leaders are still the most influential, we have seen a huge rise in business leaders taking on responsibility for defining encryption strategy. If the trend continues we could see business leaders in the driving seat within a few years.
Whenever a company uses encryption, it has to use encryption keys. Encryption keys are secrets, and used to make data meaningless to everyone without the correct code. The strongest safe in the world offers little security if a thief knows the combination to the lock; in the same way, weak protection of keys or poor key management practices mean a company’s data can be easily compromised.
Unsurprisingly, then, businesses consider key management the most important issue when deploying encryption technology – in particular the use of automated and centralised key management. Interestingly, half of respondents in the study believe that investments in key management have the potential to reduce operational costs.
The report highlights how encryption will be an increasingly important component of business security planning. However, encryption can only deliver its true potential if deployed correctly. Done badly it can at best lead to false sense of security and at worst, can cause you to lose your data for ever. Fortunately, recognised best practices and mature technologies such as hardware security modules (HSMs) are available and can deliver the levels of assurance that are necessary to survive in cyberspace.
Richard Moulds is vice president of strategy at Thales UK’s e-security business.
Visit Thales on stand D30 at InfoSecurity Europe at Earls Court, London, 24-26 April.