Regulatory Compliance, Top Reason to Deploy Encryption

Symantec Corp. and the Ponemon Institute released the findings of the 2010 Annual Study: U.S. Enterprise Encryption Trends, which reveals that for the first time regulatory compliance has surpassed data breach mitigation as the top reason why organizations deploy encryption technologies.

The report also found that solutions involving encryption have seen the biggest increase in IT budget earmarks over the past year. The fifth annual study on enterprise encryption usage is based on responses from nearly 1,000 senior IT and business managers from 15 different industries. Versions of the study for the UK, France, Germany, and Australia, also supported by Symantec, will be released in the coming weeks.

"Given the fact that tough new data protection regulations mandate the use of encryption as a hedge against data breaches, enterprises are under increased pressure to invest in these technologies in order to comply," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "The HITECH Act and Massachusetts 201 CMR 17 are two examples of regulations which require businesses to encrypt sensitive consumer information or face stiff penalties for non-compliance, the impact of which is reflected in our research."

Survey Highlights:

• Data breaches continue to be a major concern for organizations and the subset experiencing more than five a year is on the rise. In the past 12 months, 88 percent of organizations surveyed had at least one data breach, up three percent from 2009. That increase is driven primarily by the group that experienced more than five breaches, up three percent from 2009 and 12 percent from 2008.
• The vast majority of organizations continue to adopt encryption: In this year’s study, 90 percent of organizations have completed at least one encryption project. This figure has stayed essentially stable for the past three years (down one point from 2009 and zero points from 2008). Data encryption ranked fifth in implementation among possible options.
• Data protection is increasingly viewed as a mission-critical element of an organization’s risk management efforts. An overwhelming number of respondents – 93 percent – stated that data protection is either a "very important" or "important" part of their risk management efforts.
• Organizations are consistently using the same encryption technologies, but full disk encryption is a growing favorite. Full disk encryption jumped to the number-two spot with a five percent increase from 2009 and remains the fastest-growing technology, with use up 15 percent since 2007.
• Complying with data protection and privacy regulations is becoming more central to organizations’ use of encryption, ahead of mitigating data breaches. This trend indicates that organizations are getting ahead of the curve with their encryption strategy before the breach occurs, not after.
• As a group, solutions involving encryption have seen the biggest increase in IT budget earmarks. Earmarks for encryption solutions are up nine percent from 2009 and 12 percent since 2008. Endpoint security solutions including laptop encryption are up 10 percent from 2009 and 11 percent from 2008. Key management for encryption solutions rose nearly as much, up nine percent from 2009 and 10 percent from 2008.

"All of these factors bolster the argument for organizations to protect their sensitive data with encryption technologies," said Bryan Gillson, senior director of product management, Symantec. "As companies increasingly rely on outsourcers, cloud-based technologies and mobile solutions, a major side effect is that more data is exposed to loss or theft. Encryption technologies enable organizations to take a more proactive approach to data protection and avoid the heavy fines, brand damage, and operational disruption a data breach can cause."