Enterprises are having trouble recovering business information because they are not properly managing the data encryption keys, which effectively lock them out of the critical data they sought to protect, Symantec found in a survey.
Enterprises are using encryption in more places than ever,
but they are not properly securing the keys or using consistent products, a
recent report found.
Despite using encryption, poor key management and lack of
control over the technologies being used can cost the organization an average
of $124,965 a year, according to the 2011 Enterprise Encryption Trends Survey
report released by Symantec on Nov. 30.
Most of the costs were related to reduced stock price and
brand damage. The cost of improperly securing data does not include the cost of
a data breach but reflects the expenses organizations bear because of the time
it takes IT to try to find and recover the business data or the key used to
secure the data, Tim Matthews, senior director of product marketing at
Symantec, told eWEEK
About 48 percent of the survey participants reported their
organization had increased their use of encryption over the past two years,
with one third reporting "somewhat to extremely frequent" deployments
of "rogue" projects without any centralized management oversight,
Business groups and employees are often independently
encrypting the data without involving the IT department, according to Matthews.
While the move to encrypt is a good thing, these unauthorized deployments are a
challenge for IT because the data is lost and irretrievable if the employee
loses the key, forgets the passphrase or leaves the company without passing on
custody of the encryption keys. If IT doesn't have the key, it also becomes
harder to properly backup the data or to access the information as part of an
e-discovery request, he said.
Rogue projects pose a "recovery issue" for
organizations since that's data the IT department has no control over and if
told by the courts to hand over data, the "enterprise can't really say 'I
can't,'" Matthews said.
The costs of improper key management and fragmented
encryption deployments result in the organization not being able to meet
compliance requests, said 48 percent of the respondents in the survey. Others
named the inability to respond to e-Discovery requests and to access important
About 52 percent of the respondents said they have had
serious key management problems, with about a third claiming that keys were
lost or misplaced keys and another third citing key failure. A little over a
quarter, or 26 percent for the participants, said former employees refused to
hand over keys when they left the company, according to the survey.
Organizations need to think about the "employee
lifecycle" and consider what happens to business data when an employee
leaves, Matthews said. It's not enough to just think about the data lifecycle, he
said. There needs to be a consistent process for how keys are generated,
deployed and managed within the enterprise, according to Matthews.
About 40 percent of the enterprises in the survey were less
than somewhat confident they would be able to retrieve keys and 39 percent were
less than somewhat confident they would be able to protect data from
disgruntled employees, the survey found.
"As the Enterprise Encryption Trends survey
demonstrates, encryption needs to evolve from a fragmented protection
historically implemented at the line of business level to a capability that is
managed as a core component of organizations' IT security operations,"
said Joe Gow, director of product management at Symantec.
It has become fairly easy to get encryption software online
and users are becoming more aware of encryption, according to Matthews.
Malicious insiders may encrypt some files to hide their activities.
There may also be a "shadow IT" situation in place
where the business has to comply with regulations because of a partner company,
Matthews said. For example, regulations may require an insurance company to
encrypt certain types of data. The insurance company may in return require
partners that handle payments or other business functions to have a system in
place to decrypt and encrypt transaction data. With that system from the
insurance company in place, the employee at the third-party provider may be
encrypting other types of data used internally without IT knowledge, Matthews
The survey examined encryption use at 1,575 enterprises
around the world. Matthews said this was the "largest sample size"
he's ever had for this annual survey. The survey is usually conducted by
encryption vendor PGP, which was acquired by Symantec last year.