Each year at RSA Conference, various vendors and service providers release annual reports looking into various aspects of information security. In the report produced by Thales, there are some interesting insights into the use of encryption and points to Australian companies lagging by a long margin.
Peter Galvin, from Thales’ Global Strategy and Marketing team, told us there’s been a continuous increase in the number of people using encryption with over 40% of people now using encryption in some form.
“That begins to show the ubiquity of encryption,” he says.
That protection goes beyond financial and intellectual property but also personal information.
He also noted that while many companies have been implementing encryption for some time, just over a third now have a specific strategy for how it is used rather than using encryption in a haphazard way. When the survey was first taken, just 11% of respondents had an encryption policy. That’s now closer to 37%.
Those policies cover what is going to be encrypted and where that will occur. There’s a growing understanding that not all data needs to be encrypted and decisions need to be made about whether on-premises and cloud-based data need to be treated the same way.
One of the other trends from the survey sees is a marked improvement in key management although it’s still a challenge.
John Grimm, a director at Thales, says key management is a “struggle point”.
“So much of your encryption policy has to come out and be instantiated by multiple products. You have your database encryption, your SSL, applications – those have to be all managed separately and differently”, he says.
Amongst the problems, says Grimm, is a lack of skills in key management and difficulties in implementing consistent policies across different products where implementation and user interfaces differ substantially.
“It’s more complicated than people realise,” he added.
And, as a result of the challenges, people tend to do what’s operationally easier rather than what’s most secure. And they either don’t try to create a policy or have a poorly conceived one as the systems are too difficult to govern consistently.
Grimm says companies that do encryption well see it as an integrated layer in their security system, just like identity management or system access. And the encryption follows the data as it moves in and out of the corporate data centre, whether that’s on-premises, on mobile devices or in the cloud.
That means not relying on platforms as the encryption will be applied inconsistently in the life of the data.
Another change Grimm and Galvin have noted is the move towards tokenising data. While Apple Pay is a very public example of how this works – not sending credit card data but a token that represents the validated information – is also an approach enterprises are looking towards.
One of the things that came out of the report was the number one attack threat was employee mistakes. Across ten of the 11 different countries included in Thales’ research, about half the companies surveyed ranked this as their most significant issue.
But in Australia, the results were “off the charts” according to Grimm.
93% of Australian companies in the survey reported employee errors as their number one security threat.
This begs the question – why is this such as major concern for Australian companies? Is this driven by a skills shortage, poor awareness of other issues and a lack of end user training?
Or are companies understating, either intentionally or through a lack of insight into the importance and potential severity of other issues?