Businesses fail to learn from 2011 data breaches
While data breaches perpetuated during 2011 clearly demonstrated the need for more comprehensive encryption of business and customer data, a survey of over 170 IT managers with security responsibilities in UK businesses revealed that valuable and sensitive data held inside the perimeter walls of many systems are not necessarily being secured by effective and comprehensive encryption strategies.
When asked how they are currently using encryption, the leading answer of those IT managers polled was for protecting endpoints (82.2 percent), suggesting the threats from lost or stolen devices with unencrypted data are better understood.
However, SafeNet’s survey also found that the majority of respondents are not utilizing encryption technology beyond IT systems’ endpoints to encrypt the actual data and information held inside the perimeter walls, suggesting that many IT managers may not fully appreciate the importance of protecting core data itself with encryption protocols.
For example, only 43.7 percent of the UK businesses polled are encrypting web applications today; 33.3 percent databases; 30.6 percent storage, and 15 percent virtual infrastructure.
As recent data demonstrated, many of the affected organizations were attacked due to the fact that the breached IT systems did not employ a comprehensive encryption strategy necessary to protect their most high value data, enabling hackers to steal high volumes of sensitive information once they moved beyond the perimeter.
Despite the increase of data breaches in 2011 the UK businesses participating in the survey said they only plan to encrypt end points rather than extend encryption to the core systems.
When asked what areas they expected to expand encryption in the next three years, the majority of respondents (59.9 percent) said end points while fewer respondents stated that they plan to encrypt additional areas: databases (27 percent), web applications (30 percent) storage (34 percent) and virtual infrastructure (35 percent).
The survey indicates that many companies may need to improve how encryption is being managed to better mitigate threats and comply with general and industry specific regulations. In particular:
Regularly rotating the digital keys is an important best practice, but it seems that many organizations tend to rotate keys infrequently with the majority (71 percent) saying every 13 months or even longer intervals. Over a quarter of those IT managers polled (27 percent) said they didn’t know when they rotate their keys.
The most robust and effective key management policy is to ensure security keys are stored and used in a hardware repository rather than software, which can expose the keys to hacking attacks. However the majority of respondents – 56.8 percent – said their cryptographic keys are held in software not hardware (25.2 percent).
Although the survey did not ask about workloads, it did reveal that for the majority of organizations surveyed (61.3 percent) are relying on small teams of five people or less to manage cryptographic defenses.