The Ponemon Institute has announced the results of its study into encryption trends. Now in its third year, the study has found that 70% of UK organizations have been hit by data breaches in 2008. One of the points made in the report, apparently, is that the use of data encryption software can have a significant impact on the number of breaches a company experiences.
Companies That Experienced No Data Loss
A poll of over 600 IT security professionals at different UK organizations revealed that,
…a third of those companies reporting no data loss incident in the last year claimed to have had instigated an enterprise-wide encryption policy.
In contrast, [organizations] experiencing the highest number of data loss incidents were found to be the least likely to have introduced a consistently enforced, company-wide strategy governing the use of data encryption technologies.[ from cbonline.com]
In fact, some companies didn’t have any breaches in 2008, and only because they had disk encryption like AlertBoot installed on their computers. This does not imply, of course, that no computers were lost or stolen at these companies. It just means they didn’t have a breach because the data could not be accessed after the devices were lost.
Correlation, Not Causation
I would like to believe that it was encryption that saved the day for the small number of companies that experienced zero breaches; however, believing that would be a fallacy.
More likely than not, said companies probably had a well thought-out and well-planned (and well-implemented, I should add) data security plan–which happened to include, among other things, the use of data encryption programs. I mean, there are other ways of experiencing a data breach other than losing laptops. Their servers could have been hacked, someone could have made sensitive files available on the internet, an employee could have stolen data, etc.
When you consider all the different ways companies could have a data breach, you can’t deny that some amount of luck is necessary–in the sense that, say, they didn’t have any employees that taped their username and password to the bottom of a laptop.
Encryption Doesn’t Work? Neither Do Traffic Lights…If You Want to Use That Argument
Whenever I mention the “luck factor,” a small number of people seize on the comment to point out that that proves “encryption doesn’t work.”
What about all the examples that show that encryption does work to protect the contents of a computer? Cases such as where law enforcement tries to get the suspect to spit out the username and password to encrypted data? Or the sworn court affidavits where FBI agents testify that it’s impossible to crack encrypted information?
I guess a more accurate statement by the detractors would be “encryption doesn’t work all the time, even if it’s implemented correctly.” And I wouldn’t deny that.
But, planes crash, people run red lights, and people get killed in their homes. Does this mean we should get rid of air travel, get rid of traffic lights, and not live in our homes?
There are various ways one can have a data breach, which is why data security comes in layers. Encryption happens to be one of those layers.
Related Articles and Sites: