Employee Mistakes, E-Discovery Drive Encryption Deployments: Study


Employee mistakes and e-discovery disclosures are considered the main threats to data security and are increasingly driving enterprise-wide encryption projects and overshadowing the threats posed by hackers or malicious insiders, according to a new survey.

Organizations are more concerned about erroneous exposure of confidential data or system malfunctions that result in data leakage, according to the Ponemon Institute 2012 Encryption Trends Study, issued last week. The survey, sponsored by Thales contacted more than 4,000 people in seven countries about their company's ongoing encryption projects.

Concerns over inadvertent exposure outweigh concerns over actual attacks by more than 2-to-1, according to the survey. Employee mistakes ranked highest at 26 percent, followed by legal and law enforcement requests for data and system and process malfunction as the threats to data protection. Meanwhile hacking and malicious insiders came in at 14 percent and 11 percent respectively.

[Related: Misconfigured Security Appliances, Basic Missteps Central To Data Breaches: Experts]

"Companies are getting nervous about e-discovery and forensic requests being used to extract data from the cloud," said Richard Moulds, vice president of product strategy at Thales e-Security. "They perceive these lawful processes and other non-security issues could lead to a loss of data or a breach."

Overall, 44 percent of those surveyed said encryption is seen as a tool to protect a company's brand or reputation. Encryption can lessen the impact of data breaches, according to 42 percent of those surveyed, and it helps company's to comply with privacy and data security requirements. Moulds said encryption itself is no silver bullet. While regulators can mandate encryption, how it is deployed and maintained are the biggest factors in how well it protects data, he said.

"Encryption introduces a gray area about who has access to these keys and how to go about making sure the keys don't get stolen or aren't lost," Moulds said. "It's a business continuity issue as much as it is a security issue."

Identity and access management was seen as the top data protection priority, followed by data discovery and data protection when in use within business applications. Organizations are increasingly concerned about data protection in cloud-based environments, the study found. Organizations are deploying encryption for backup files, internal networks and cloud services and databases, Moulds said.

Encryption in the cloud helps give company employees the feeling they have more control over who can access it, Moulds said. If the business is the only key holder, it won't mistakenly be made available, he said.

"The concern is that because you are sharing infrastructure, you've got no idea where your data is," Moulds said. "Suddenly your data is no longer in your control, and who knows where it goes."

Email encryption and encryption of data on smartphones and tablets are the least likely to see enterprise-wide deployment, the survey found. Laptop encryption, encrypting disk drives and backup tapes seems to be slowing down, Moulds said, while organizations are increasingly moving up the stack to network-level encryption or encrypted storage area networks, indicating an increase in maturity at organizations.

Organizations in Germany, the U.S. and Japan have become more mature in executing their encryption strategies, according to the survey. Many of the deployments are primarily driven by the need to buffer against data breach disclosure laws, Moulds said. Not surprisingly, financial services has the most encryption deployments, followed by the transportation and hospitality and leisure industry.

PUBLISHED MARCH 5, 2013