Unencrypted backup tapes “still the norm’, warns DISUK
Silverstone, UK – 15th November 2005 – Almost a year of near-continuous warnings about the vulnerability of backup tapes has gone unheeded, results from a survey showed today. Less than a quarter of companies currently encrypt their backup tapes, closely matching results of a survey (1) conducted in March 2005.
In fact, DISUK’s global “Paranoia Audit 2005′ showed markedly less paranoia worldwide than might be considered healthy to ensure rigorous data security. Only 34 per cent of respondents said that their corporate security policy included backup encryption, and only 23 per cent said that it was actually taking place.
However, of the non-encrypting 77 per cent, more than 46 per cent plan to incorporate encryption. But, overall, this still leaves almost one in six firms with no plans to encrypt backup tapes any time soon.
“I find the DISUK survey to be one of the first intelligent analyses I have seen on the subject of storage security,” said Jon Toigo, CEO of Toigo Partners International, a consumer-focused IT consulting firm, and founder of the Data Management Institute, an on-line community for data managers. “There is so much hype and misinformation around storage security that the very rudimentary requirements, like encrypting backup tapes that are headed off premise to a backup center or off site storage facility, are too often being missed.”
Toigo continued, “The increased perception of the common sense need to encrypt storage media heading off the corporate campus is good to see. It shouldn’t take the threat of regulatory or legal actions for companies to appreciate the need to safeguard their most irreplaceable asset: data.”
Paul Howard, managing director of DISUK, said, “Today’s results are surprising given the spate of high-profile incidents during 2005 that involved the loss of backup tapes containing sensitive personal information. At the time these incidents served to highlight that millions of people are at daily risk of identity theft because data backed up to magnetic tape is unencrypted more often than not. Many organisations appear to have short memories or simply to think it won’t happen to them.”
A lack of a standard approach to data security is also revealed by a lack of consistency and uncertainty over precisely with whom, within organisations, responsibility lies. Less than one in five respondents cited the storage manager, with the security manager named by 41 per cent. Of more concern, responsibility was deemed to be shared between these two by 17 per cent of respondents, while nine per cent admitted that responsibility was unclear and two per cent replied that no-one was responsible. This suggests that lines of responsibility are either unclear or non-existent in more than a quarter of organisations.
Of the encrypting minority, encryption software is used by more than half, with the remainder split between backup/archiving software and encryption appliances, reinforcing the interpretation that there is no standard approach to the issue.
Paul Howard said, “Effective data security will only become a reality through a combination of technology and well-managed human processes. For example, more than half of the companies that took part in our survey use a third party either to transport or store backup tapes, and someone needs to have specific, overall responsibility for that relationship. Muddled chains of responsibility often end in tears.”
Encouragingly, daily backups are taken by 74 per cent of companies, while a further 24 per cent undertake a weekly backup. Just one in 10 companies take hourly backups. Tape remains the most common backup medium at 76 per cent, although disk continues to take a growing share at 38 per cent.
Security for its own sake remains the leading driver for backup encryption, cited by almost three-quarters of respondents. Regulatory compliance was mentioned by only 41 per cent of participants.
(1) From the research conducted by Enterprise Strategy Group, Inc. – “Information at Risk: The State of Backup Encryption” March 2005.