Encryption: A nice idea few want to implement

Companies are not embracing encryption as a way to protect sensitive data. According to Ponemon Institute's 2005 National Encryption Survey, only 4.2 percent of companies responding to our survey say their organizations have an enterprise-wide encryption plan.

However, the study also reveals that encryption is viewed by many as an important security tool that enhances the IT professionals' overall sense of trust or comfort in data-protection efforts. The primary reasons cited for not encrypting sensitive or confidential information were concern about system performance (69 percent), complexity (44 percent) and cost (25 percent).

Sponsored by PGP Cororation, this independent study was conducted to learn what privacy and security professionals think about encryption and how adequate they believe their organization's security programs are to protect sensitive and confidential information.

Encryption is mostly used to protect sensitive or confidential electronic documents when sending them to another system or location (47 percent), according to our survey results. Only 31 percent of respondents encrypt data on a device such as a server or laptop, and 24 percent encrypt sensitive or confidential backup files or tapes before sending them to off-site storage locations.

Given the number of security breaches that are being reported, it seems that now might be a good time to look more closely at encryption. Just this week, for example, tapes containing data on 2 million ABN Amro customers went missing, although the tapes were later recovered. And companies are starting to be held liable for not safeguarding data.

The Federal Trade Commission recently charged shoe discounter DSW Inc. with failing to provide reasonable and appropriate security for sensitive customer information, because the company allegedly stored information in unencrypted files that could be accessed easily using a commonly known user ID and password. DSW recently settled with FTC over charges that its data-security failures constituted an unfair practice under federal law, allowing hackers to access credit card, debit card and checking account information of more than 1.4 million consumers.

Who responded?
Our Web-based survey used two proprietary data sets composed of privacy and information security professionals. Both require subjects to opt in prior to making contact. All data was captured through e-mail or letter invitation to a secure extranet Web site. The total sampling frame included 6,298 individuals. Of these, more than 91 percent were designated as information security specialists, and the remaining 9 percent were designated as information privacy specialists.

The total number of completed responses was 791, making a 13 percent response rate. 81 percent of the final sample is male, and 19 percent is female. We found that our sub-sample of privacy professionals is skewed toward female subjects.

What we learned
Here are some of the most interesting findings from our study:

- Organizations that use encryption technology do so for the following reasons: electronic transmission of sensitive or confidential information (43 percent), electronic data on storage devices (30 percent), backup media (17 percent) and outbound e-mails (7 percent).

- The top reasons for encryption are to prevent data breaches (55 percent), to protect the company's brand or reputation that could result from a breach (40 percent), to comply with the Sarbanes-Oxley Act (29 percent) and to avoid having to notify customer or employees after a data breach occurs.

- Regulations that have proven most influential in deciding to use encryption include various state and emerging federal requirements on data security breach notification (57 percent), the Health Insurance Portability and Accountability Act (43 percent) and Sarbanes-Oxley (34 percent).

- The types of data considered most important to be encrypted for storage and/or transmission are business confidential documents (57 percent), records containing intellectual property (56 percent), sensitive customer information (56 percent), accounting and financial information (41 percent) and employee information (35 percent). Interestingly, all customer information and consumer information scored a low 8 percent and 6 percent, respectively.

- The top five types of personal information about a customer, consumer or employee that should be encrypted are health information (72 percent), sexual orientation (69 percent), Social Security number (67 percent), family members (66 percent) and work history (57 percent).

- The bottom five types of personal information about a customer, consumer or employee that should be encrypted are e-mail (10 percent), home location and telephone (6 percent), educational background (5 percent), interests and preferences (2 percent) and gender (1 percent).

Our research suggests that privacy and security professionals believe encryption is important to safeguarding sensitive data. Concerns about encryption negatively affecting system performance, ease of use and cost can and should be addressed in order to achieve more security and avoid a breach that can prove costly to a company's bottom line and reputation.

For more information about the 2005 National Encryption Study, contact research@ponemon.org.