Thu, March 22, 2007 — CIO — Every week, another instance of a misplaced notebook or hard drive with private customer data seems to surface. Why weren’t these drives encrypted? Some IT departments view encryption as a possible administration hassle—but that’s changing. Enterprises are starting to build comprehensive encryption strategies across multiple applications, using a single platform to ease management, according to new data from the Ponemon Institute.

Among 768 U.S. IT and business managers surveyed by Ponemon, 66 percent say that they use some kind of encryption to mitigate data breaches. Use of encryption has increased by 31 percent in the past year, and more e-mail applications, file servers, mobile devices and laptops are using it, says Larry Ponemon, chairman and founder of the Ponemon Institute.

Although only 16 percent of respondents say they have an encryption strategy that’s enforced across the enterprise, 68 percent feel that having encryption policy enforcement across all applications is important.

CIOs need to help business leaders understand why this is a priority: “CIOs are the stewards of information, and encryption is about securing the information that puts your organization most at risk,” Ponemon says.

Half of the companies today use encryption on an as-needed basis, meaning it’s not mandated. “Some organizations allow users to make the decision,” Ponemon says.

Deploying encryption tools piecemeal can strain IT departments with repetitive tasks and increased costs, the report says.

IT groups see the trouble coming. Almost 70 percent of respondents feel it’s important to have an automated encryption enforcement policy. For example, an automated e-mail policy would kick in when a user sends an e-mail that’s not encrypted, but which should be, says Ponemon. Violations can be tracked as well.

One way to simplify: An encryption platform solution lets IT manage multiple encryption applications from one console, eliminating redundant administrative tasks and reducing operational costs. Eighty-nine percent of respondents have either started building a platform approach or are interested in one.

Best Practices

Be proactive. Don’t wait until your company data is compromised before you look at encryption options. “CIOs need to understand what information creates the greatest risk,” Larry Ponemon says. “This means partnering with business units to identify where encryption is appropriate.”

Be comprehensive. It’s hard to argue that you’re thinking strategically if you’re encrypting only individual applications and missing a platform approach (which lets you manage from one console and avoid redundant administrative chores).

Use an automated encryption policy. “You can have a great policy, but unless users know you’re enforcing it, it won’t be effective,” says Ponemon. “That’s one of the problems with encryption historically: It’s been mandated on paper but the compliance was less than 50 percent because no one was watching. Now you can watch.”