Survey: Majority Of IT Pros Not Encrypting Customer Data


A majority of IT professionals whose companies had customer data lost or stolen said the information was not encrypted, a survey released Wednesday found.

Examples of the types of data lost included e-mail, credit card or bank payment information and social security numbers, according to the study conducted by the Ponemon Institute and sponsored by credit-checking company Experian. The most common cause of the breach was a negligent person inside of the company. Outsourcing to a third-party was cited as another main cause, followed by a malicious insider.

Ponemon surveyed more than 500 IT professionals. Respondents were asked to focus on the breach they believed had the greatest financial and reputational impact.

Fully 60 percent of respondents said the lost data was not encrypted, a practice that could work against a company in a lawsuit, if the organization was negligent. "Data breaches are frequent and as a result millions of consumers are vulnerable to having their identity stolen," Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.

The high percentage of companies with unencrypted customer data was not a surprise to Peter Bybee, president and chief executive of reseller Security On-Demand. Unless organizations are required to encrypt data either by regulations or contracts, information is mostly left in a readable format, he said.

The reasons are non-IT managers who don't fully understand the security risks and the expense of encrypting data, which could involve costly architectural changes. The more older databases a company has, the more expensive it is to encrypt data.

"There's some pain there," Bybee said. "It's not as simple as: OK, we need to encrypt it, so let's check the box that says encrypt."

With so many organizations storing unencrypted data, it's not surprising that only half of the respondents believed their organizations made the best possible effort to protect customer information. Once a data breach occurred, hiring a lawyer and assessing the damage to victims were rated highest in reducing negative consequences. More than 60 percent of the respondents said their companies increased its security budget following a breach.