The state of encryption in Europe

The increasingly mobile nature of data has resulted in growing pressures on IT departments. There was a time, not too long ago, when data was secured primarily due to the physical security of the building where it was located. Now, with the ubiquitous use of laptops and handheld devices, a secure physical environment, while requisite, is no longer sufficient.

A perfect storm for IT

As we enter a new decade, IT departments are faced with a proverbial ‘perfect storm’ when it comes to data security. Departments are dealing with reduced operating budgets, so they have to do more with less. Conversely, there is a growing movement from government to regulate the security of data, such as the announcement earlier this year by the UK Ministry of Justice that the Information Commissioner's Office (ICO) would have the power to fine organisations up to £500,000 for serious breaches of data protection principles. 

Additionally, the European Council has approved a data breach notification rule for Europe's telecommunications firms. This amendment to an EU Directive will force telcos to inform customers if they lose their data. The growing number of laws around data security will force the hand of corporations to establish processes to ensure data integrity. If they don’t, they could be subject to significant financial and reputational repercussions if a data breach were to occur. According to the Ponemon Institute, the average cost of a data breach to an organisation in the UK is £1.7 million, while in Germany it is €2.41 million .

Along with reduced operating budgets and growing government legislation, the general public has become acutely aware of (and concerned about) the security of their personal data as the instances of lapses in data security continue to increase.

And finally, there is growing mobility of the workforce – from people travelling with their data to employees ‘telecommuting’ from home. According to the Ponemon Institute, over 3,500 laptops go missing every week in European airports. That’s one laptop every three minutes. While mobility creates business opportunities, it also means more corporate devices outside of the traditional workplace. The result is the creation of a new ‘information perimeter’.

The problem of encryption

This perfect storm therefore begs the perfect question for any IT department:  How do you secure data that you cannot track?  

Encryption has, for some time, been the de facto standard in securing data. While it is an important part of any approach to data security, encryption alone is not enough. It does not enable IT to track the data and it does not provide any details as to what type of information was stored on the missing or stolen laptop. In fact when an encrypted laptop goes missing, all IT really knows is they have a laptop with potentially damaging information in the public domain with no means of retrieving the data.

Further evidence that encryption isn’t enough for corporate security comes from the Ponemon Institute. According to its latest report , there is no guarantee that encryption is even being used in the workplace. Surveying non-IT business managers in the UK, it was found that 53 per cent of them had disengaged encryption technology on their business hardware. This was despite the fact that 61 per cent of laptop thefts in the UK have resulted in a data breach.

The cultural divide

The Ponemon Institute study has also revealed a cultural divide exists between non-IT business managers and IT practitioners when it comes to security – in more ways than one. The report found that a high percentage of employees surveyed in business functions were not taking precautionary steps such as using complex passwords, not sharing passwords, keeping their laptop physically safe when traveling or locking their laptops to their desks to protect sensitive and confidential data. In fact, 36 per cent went as far as writing down encryption keys and passwords to jog their memories. Further, many respondents believe that encrypted solutions make it unnecessary to take other security measures.

In contrast, their colleagues in IT are diligent in taking precautionary steps to safeguard the sensitive and confidential information on their laptops, and none admitted to writing down important security information. They believe encryption is an important security tool, but also believe it is critical to follow certain procedures to ensure that data is protected if a laptop is lost or stolen.

Another cultural divide is apparent between countries, and the US appears to be the worst offender when it comes to business security. The study found that 15 per cent of German and 13 per cent Swedish business managers have disengaged their encryption solution. In contrast, 52 per cent of Canadian and 50 per cent of French business managers have disengaged encryption, while US business managers top the survey at 60 per cent.

A layered approach

Put simply, even if your business has encryption technology, your employees can’t be relied upon to use it. There is still a big divide between IT’s understanding of security and that of the rest of the business, and despite frequent and high-profile cases of data theft and loss, it seems business managers still struggle to see why they need to take responsibility.

This is the ‘human factor’ at work – as long you employ people mistakes will be made. For the IT team, success lies in having a layered approach to security, that enables them to track data on and off the local area network and provide various options to access the data in the case a laptop does go missing, instead of simply hoping the encryption was not disabled. Only then will IT be confident that if the worst happens and a laptop is stolen, they can at least delete the data remotely, and at best bring the laptop and its contents safely home.

 1. ‘Cost of a Data Breach Report’, Ponemon Institute, January 2009

 2. ‘The Human Factor in Laptop Encryption’, Ponemon Institute and Absolute Software, March 2010 – www.absolute.com/human-factor