Encryption tossed into the too-hard basket

Very few enterprises in Australia use encryption to protect sensitive data, especially if it involves customer data.

Given the high number of security breaches, Deakin University IT director Craig Warren said it is alarming to learn that so few companies make use of encryption.

While the university doesn't encrypt data, Warren said strict security protocols are in place so encryption could end up being a burden.

"We heavily segment our Virtual Local Area Network (VLAN) and encrypt any password exchange as well as things like human resources information; but we do not encrypt backup tapes and laptops," Warren said.

"Even if you had backup tapes sent offsite most storage companies have clauses in their contracts preventing them from accessing the data. Because of our security, encryption is not an issue for us."

But the reality is only 4.2 percent of companies have an enterprise-wide encryption plan, according to the Ponemon Institute's 2005 National Encryption Survey which was commissioned by the PGP Corporation.

However, Legal.consult's legal and technology director, Andrew Perry, said in Australia the figure translates to less than 4 percent, although the Privacy Act has made business more aware about securing personal information.

Although encryption is seen as an important security tool, it was considered complex and difficult to use.

Survey respondents claim the main reasons for not encrypting sensitive or confidential information was concern about system performance (69 percent), complexity (44 percent) and cost (25 percent).

"As encryption software gets easier to both use and deploy, widespread acceptance should follow," Perry said.

"Today it is easier to encrypt and decrypt which means companies have less of an excuse about whether or not they have data stored on tape or use an offsite storage facility.

"If the relevant network is secure then that is one way of reducing the risk of data theft, but it is ironic if a Web site has an SSL encryption to collect data from a user but then sends that data as a backup from the e-commerce server to an offsite storage site that is transported and stored unencrypted."

Organizations that store a lot of customer data include those in the telecommunications and financial services sector.

For example, a spokesperson for the St George Bank confirmed triple DES encryption is used extensively to protect customer data.

However, Telstra wasn't so willing to disclose such details.

A spokesperson for the telco said privacy is a top priority, but added "we do not feel the need to divulge or confirm if any customer data, either held onsite or off, is encrypted."

Join the Computerworld newsletter!

Error: Please check your email address.

More about ACTDeakin UniversityDeakin UniversityPGPSt George BankTelstra Corporation

Comments

Comments are now closed

Fake traffic infringement emails doing the rounds in NSW

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]