Risk
11/19/2009
02:12 PM
50%
50%

So Much Data, So Little Encryption

We surveyed almost 500 business technology professionals and found little end-to-end encryption use. Instead, we're doing only what auditors demand.

If you go solely by top-level stats on encryption use, you'll come away feeling pretty secure--86% of the the 499 business technology professionals responding to our InformationWeek Analytics State of Encryption Survey employ encryption of some type. But that finding doesn't begin to tell the real story. Only 14% of respondents say encryption is pervasive in their organizations. Database table-level encryption is in use by just 26%, while just 38% encrypt data on mobile devices. And 31%--more than any other response--characterize the extent of their use as just enough to meet regulatory requirements.

InformationWeek Reports

The reasons for this dismal state of affairs range from cost and integration challenges to entrenched organizational resistance exacerbated by a lack of leadership. The compliance focus is particularly galling. Encrypting a subset of data amounts to a "get-out-of-jail-free card" because it may relieve companies from having to notify customers of a breach. But knowingly doing the bare minimum to check a compliance box isn't security; it's a cop-out.

Admittedly, IT pros often face stiff resistance when they try to do more. "Our IT staff is working to increase the use of encryption, but frankly, users are more interested in quick and easy access to their data and don't really think about security," says one respondent. "The idea of getting data on a flash drive or laptop encrypted never enters the minds of most of the staff, from the director on down."

We say entrenched resistance because this isn't a new phenomenon--back in 2007, a Ponemon Institute survey found that just 16% of U.S. companies take an enterprise-wide approach to encryption. Network Computing examined the state of enterprise encryption at the time and found adoption to be a gradual process, often starting with backup tapes and spreading from there. A piecemeal approach was the norm then, and we're still moving in fits and starts, despite the momentum generated by compliance frameworks such as PCI, which requires encryption of credit card data in transit.

The Interoperability Factor

Part of the problem is that standards efforts have yielded exactly zero breakthroughs where we need them most--in interoperability, which would make encryption management easier and less expensive. We don't expect that situation to get better anytime soon.

When we asked IT pros what would increase their companies' use of encryption, responses ranged from built-in operating system support for creating encrypted files and folders (something Microsoft is working toward, as we'll discuss) to improved ease of use and performance, lower cost, and better key management. A few desperate souls wished for more regulation, or even a breach that would require notification of customers, to use as leverage for gaining funding and management buy-in.

"I'd like to think that it would only take the force of will to do the right thing," says a network director at an educational institution. "In reality, it would probably require a breach or exposure to shine the light on the problem."

Our favorite response: "I wish I knew so I could exploit it."

InformationWeek: November 21, 2009 Issue To read the rest of the article, download a free PDF of InformationWeek magazine
(registration required)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2015-2168
Published: 2015-03-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.