Research implies under-appreciation of the importance of protecting core IT systems, making review of encryption strategies a critical requirement for UK businesses

London, 23 April 2012 - A new study of UK businesses conducted by SafeNet, Inc. reveals a mixed picture of how effectively UK businesses are protecting critical data and applications. While data breaches perpetuated during 2011 clearly demonstrated the need for more comprehensive encryption of business and customer data, SafeNet’s survey of over 170 IT managers with security responsibilities in UK businesses revealed that valuable and sensitive data held inside the perimeter walls of many systems are not necessarily being secured by effective and comprehensive encryption strategies.

SafeNet believes its research provides unique insight into how encryption is currently being implemented within the information technology infrastructure of many UK businesses. When asked how they are currently using encryption, the leading answer of those IT managers polled was for protecting endpoints (82.2%), suggesting the threats from lost or stolen devices with unencrypted data are better understood.

However, SafeNet’s survey also found that the majority of respondents are not utilizing encryption technology beyond IT systems’ endpoints to encrypt the actual data and information held inside the perimeter walls, suggesting that many IT managers may not fully appreciate the importance of protecting core data itself with encryption protocols. For example, only 43.7% of the UK businesses polled are encrypting web applications today; 33.3% databases; 30.6% storage, and 15% virtual infrastructure. As recent data demonstrated, many of the affected organisations were attacked due to the fact that the breached IT systems did not employ a comprehensive encryption strategy necessary to protect their most high value data, enabling hackers to steal high volumes of sensitive information once they moved beyond the perimeter. These and other incidents of data protection failure have led to loss of revenue, fines from regulatory bodies and negative impact to a company’s overall reputation

Despite the increase of data breaches in 2011 the UK businesses participating in the survey said they only plan to encrypt end points rather than extend encryption to the core systems. When asked what areas they expected to expand encryption in the next three years, the majority of respondents (59.9%) said end points while fewer respondents stated that they plan to encrypt additional areas: databases (27%), web applications (30%) storage (34%) and virtual infrastructure (35%). SafeNet believes these responses may reflect an under-appreciation of the hard lessons that were learned many businesses [in the UK] in 2011 when it became clear that encrypting the perimeter is no longer a sufficient stand-alone strategy to keep attackers from obtaining a company’s core asset - sensitive, valuable information and data.

SafeNet’s survey indicates that many companies may need to improve how encryption is being managed to better mitigate threats and comply with general and industry specific regulations. In particular:

Regularly rotating the digital keys is an important best practice, but it seems that many organisations tend to rotate keys infrequently with the majority (71%) saying every 13 months or even longer intervals. Over a quarter of those IT managers polled (27%) said they didn’t know when they rotate their keys.
The most robust and effective key management policy is to ensure security keys are stored and used in a hardware repository rather than software, which can expose the keys to hacking attacks. However the majority of respondents - 56.8% - said their cryptographic keys are held in software not hardware (25.2%).
Although the survey did not ask about workloads, it did reveal that for the majority of organisations surveyed (61.3%) are relying on small teams of five people or less to manage cryptographic defences.
Gary Clark, VP Business and Operations EMEA at SafeNet said: “It is good news that UK business are beginning to grasp the importance of encryption within their data protection strategies. However, use of encryption must go beyond primarily encrypting endpoints if organisations are going to heighten the integrity of their data security plans and ensure that all of their critical data is persistently protected anywhere within their IT infrastructure. As a leading crypto specialist, SafeNet’s day-to-day priority is helping our customers succeed by applying best practices and addressing cyber threats and IT system compliance issues with the utmost seriousness. This is why SafeNet has introduced solutions such as key management which helps relieve the pressures facing IT professionals, helping them more easily deploy, manage and control encryption across large, complex IT infrastructures.”