Cryptography remains a key part of organisational security
Around three-quarters of an organisation's information assets cannot be fully protected without the use of cryptography.
A survey of 500 auditors by Thales and the Ponemon Institute found that 71 per cent believe that an organisation's information assets cannot be fully protected, even within the corporate boundary, without encryption. Eighty-one per cent believed that sensitive or confidential data should be encrypted whenever practical.
The research also found that the majority of auditors believe organisations are still not taking data security seriously and are not allocating sufficient resources to achieve data compliance requirements. Only 32 per cent of those surveyed said that the organisations they audit are proactive in managing privacy and data protection risks, while 45 per cent applied sufficient resources to achieve their data compliance requirements.
Dr Larry Ponemon, chairman and founder of the Ponemon Institute, said: “The use of encryption to protect data is now past the point of debate, everyone is using it and this report corroborates this. However, the question to be addressed now is how, when and where to deploy the technology. The research indicates that there are indeed genuine areas of uncertainty when deploying encryption, particularly arising from the numerous business drivers and diverse compliance requirements.
“What organisations now need to do is ensure they adopt a strategic approach, proactively identifying and then following best practice when deploying cryptography to ensure they not only meet compliance around data protection but they also serve their wider security and operational needs.”
Franck Greverie, vice president of information technology security activities at Thales, said: “Protecting customer and business data ought to be top priority for every organisation, but demonstrating compliance does not inherently translate into data security. The report provides a valuable insight into the standards of due care that auditors expect to be applied when deploying cryptography, particularly regarding key management.”