Encryption tossed into the too-hard basket
- 23 January, 2006 09:27
Very few enterprises in Australia use encryption to protect sensitive data, especially if it involves customer data.
Given the high number of security breaches, Deakin University IT director Craig Warren said it is alarming to learn that so few companies make use of encryption.
While the university doesn't encrypt data, Warren said strict security protocols are in place so encryption could end up being a burden.
"We heavily segment our Virtual Local Area Network (VLAN) and encrypt any password exchange as well as things like human resources information; but we do not encrypt backup tapes and laptops," Warren said.
"Even if you had backup tapes sent offsite most storage companies have clauses in their contracts preventing them from accessing the data. Because of our security, encryption is not an issue for us."
But the reality is only 4.2 percent of companies have an enterprise-wide encryption plan, according to the Ponemon Institute's 2005 National Encryption Survey which was commissioned by the PGP Corporation.
However, Legal.consult's legal and technology director, Andrew Perry, said in Australia the figure translates to less than 4 percent, although the Privacy Act has made business more aware about securing personal information.
Although encryption is seen as an important security tool, it was considered complex and difficult to use.
Survey respondents claim the main reasons for not encrypting sensitive or confidential information was concern about system performance (69 percent), complexity (44 percent) and cost (25 percent).
"As encryption software gets easier to both use and deploy, widespread acceptance should follow," Perry said.
"Today it is easier to encrypt and decrypt which means companies have less of an excuse about whether or not they have data stored on tape or use an offsite storage facility.
"If the relevant network is secure then that is one way of reducing the risk of data theft, but it is ironic if a Web site has an SSL encryption to collect data from a user but then sends that data as a backup from the e-commerce server to an offsite storage site that is transported and stored unencrypted."
Organizations that store a lot of customer data include those in the telecommunications and financial services sector.
For example, a spokesperson for the St George Bank confirmed triple DES encryption is used extensively to protect customer data.
However, Telstra wasn't so willing to disclose such details.
A spokesperson for the telco said privacy is a top priority, but added "we do not feel the need to divulge or confirm if any customer data, either held onsite or off, is encrypted."
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
- ESG Whitepaper: Integrated Computing Platform Survey
- The SPARC Difference - Reduce Risks, Cut Costs, Power Innovation
- How the Cloud Changes the Game for Line of Business Managers in Midsize Companies
- Detecting APT Activity with Network Traffic Analysis
- NetApp FAS6240 Clustered SAN Champion of Champions
Verizon, Jennifer Lopez partner on Latino-focused wireless stores
Santos migrates to Windows 7 before XP support ends
Australia remains black spot for Vodafone
WikiLeaks Party closer to registering
AusCERT 2013: NBN users need security professionals’ help, says Google