The study, which was commissioned by the security software company PGP, concluded that the main consequences to business of data protection failure can almost certainly include loss of customers/difficulty in acquiring new ones, as well as irreparable brand damage. No great surprises there then!
However, what was interesting, given that this was a UK-centric report, were the differences in attitude towards strong data protection; the use of encryption facilities etc. between end-user business organizations in the US that already have to deal with stringent data loss disclosure laws, and their counterparts in the UK that currently do not have this overhead.
Without doubt, overall business awareness is growing about the consequences to the organization of being caught out by data breaches that occur when corporate information has not been adequately protected. For some time now in the US, regulations have dictated that where data security breaches occur through loss or security incursion, affected customers must be properly notified.
Mitigation against the need to comply with these expensive and time-consuming regulations is only accepted when the business involved can prove that the lost data could not be used by a malicious third party due to it having been securely protected through the use of encryption technology at the time that the data loss took place. Therefore, it comes as no great surprise to find that by far the top reason cited by US companies for making extensive use of encryption technology was the need to achieve regulatory compliance.
In the UK, where the same levels of regulatory enforcement are not currently in place, a different range of fear factors came into play. The top-of-the-list driver for UK companies when deciding to take up or increase the use of encryption was shown in the study to be brand protection; only then, as a secondary consideration, was it thought necessary to consider privacy commitments to the customer.
Only 10% of UK companies surveyed cited the need to use encryption technology to mitigate against data breaches, and no respondents reported that they were using the technology to avoid notification requirements, almost certainly because the only time that this becomes necessary is when a security breach finds its way into the public domain via third-party reporting channels.
The conclusions of this UK-focused study were that, as we go forward and the potential for government-imposed fines and customer notification increases, businesses will make more use of encryption applications.
Realistically, organizations already have an ongoing need to identify and work to protect all data elements of their applications that are considered to be at risk. This includes data at rest in corporate repositories and data in transit over public networks. Good quality encryption provides valuable protection at the data layer. Usage of the technology is growing significantly year-on-year, and a platform-based approach that allows strategic management, policy, and provisioning of service controls to be delivered centrally makes sense both in the compliance-driven US market, and in the less-regulated but equally exposed UK arena.
It would be nice to think that business could be relied upon to properly protect the sensitive information that it holds in order to support operational systems. Many such organizations have driven customer access and support services towards the web in order to support efficiency and save money. Unfortunately, unless regulations that have teeth are put in place, most will continue to do the minimum required to protect their customers.
Source: OpinionWire by Butler Group (www.butlergroup.com)
