survey: how companies are securing critical data
DESCRIPTION
The incredible growth of Information Technology over the last few decades has led to an explosion of corporate data spread throughout an organization on corporate servers, mobile devices, and increasingly on cloud based systems that may be managed by third parties. In many cases, this is sensitive information and there is the potential for corporate data to be compromised. The question is how to maintain control on this data so that it is safe from potential abuse.TRANSCRIPT
SECUDE - US Full Disk Encryption
2011 Survey
Publication: March 2012
2
SECUDE - US Full Disk Encryption Survey 2011
Executive Summary
The incredible growth of Information Technology over the last few decades has led to an
explosion of corporate data spread throughout an organization on corporate servers,
mobile devices, and increasingly on cloud based systems that may be managed by third
parties. In many cases, this is sensitive information and there is the potential for
corporate data to be compromised. The question is how to maintain control on this data
so that it is safe from potential abuse.
SECUDE, a global provider of IT data protection solutions, conducted a nationwide
survey in the United States in November 2011. The survey covered 209 participants
across various organizations. Eighty-eight percent of the participants were IT
practitioners.
The other participants included non-IT business executives (8%) and other non-IT
business roles (4%).
This research focused on the current status of data encryption technology application
across organizations and user perception towards Full Disk Encryption (FDE) solutions.
The comprehensive survey revealed the following facts:
Fifteen percent of the organizations surveyed do not use any type of encryption
solution in their systems.
o Eighty-seven out of the 209 respondents surveyed stated that their
organizations have not implemented FDE technology. Around 60% of
them do not plan to implement it for the next two years.
Sixty-three percent of the participants stated that their organizations were using
at least two encryption technologies to protect their critical data.
The top two encryption technologies used in the surveyed organizations are Full
Disk Encryption (58%) and E-mail Encryption (46%).
FDE solution users prefer solutions that require less effort in everyday use,
such as:
o Low performance impact on computer system resources
o Transparency to end users
IT Executives such as CIOs,
CTOs, Directors, and VPs
18%
IT Managers 15%
IT technical staff or relevant 54%
3
SECUDE - US Full Disk Encryption Survey 2011
Table of Content
Executive Summary 2
Key Findings 4 Future Adoption of Encryption Technologies 4 Full Disk Encryption Vulnerability Segment 5 File and Folder Encryption Vulnerability Segment 5 E-mail Encryption Vulnerability Segment 6 External Media Encryption Vulnerability Segment 6 What Organizations Are Looking For 7
Recommendation 8
Appendix 9 RESPONDENTS’ PROFILES 9 SYSTEM PROFILES 10
About SECUDE 11
Global SECUDE Locations 11
4
SECUDE - US Full Disk Encryption Survey 2011
Key Findings
Current Adoption of Encryption Technologies: About 15% of the organizations
surveyed do not use any type of encryption solution listed in Table 1. The chart below highlights
encryption technology adoption.
Table 1: Encryption Technology Adoption
Future Adoption of Encryption Technologies: Full Disk Encryption will be the form of
encryption technology that would be adopted most over the next two years, followed by external
media encryption. The chart below depicts the percentage of encryption technology adoption.
Table 2: Technology Adoption Percentage
15%
25%
31%
33%
39%
46%
58%
0% 10% 20% 30% 40% 50% 60% 70%
None of the above encryption technologies
Database encryption
External media encryption
File/ Folder encryption
Network traffic encryption
Email encryption
Full disk encryption
21%
31%
25%
20%
22%
41%
0% 10% 20% 30% 40% 50% 60% 70%
Database encryption
External media encryption
File/ Folder encryption
Network traffic encryption
Email encryption
Full disk encryption
5
SECUDE - US Full Disk Encryption Survey 2011
Full Disk Encryption Vulnerability Segment: Forty-two percent of the surveyed
respondents stated that their organizations have not implemented Full Disk Encryption technology.
Around 60% of them do not plan to implement it for the next two years.
Figure 1: Vulnerability Segmentation (Full Disk Encryption)
File and Folder Encryption Vulnerability Segment: The survey reveals that US
organizations might have a high possibility of a data breach incident at the file and folder layer. Over
55% participants revealed that their organizations did not pay much attention to this security area.
Figure 2: Vulnerability Segmentation (File and Folder Encryption)
25%
33%
16%
25%
42%
CURRENTLY
AT RISK
Potential Enters
Currently NOT using
FDE but would BUY
within 2 years
High Risk
Currently NOT using
FDE and would NOT buy
any within 2 years
Continuous Protection
Currently using FDE and
would buy more within
2 years
Relaxed Protection
Currently using FDE
BUT WOULD NOT buy
more within 2 years
13%
20% 56%
11%67%
CURRENTLY
AT RISK
Potential Enters
Currently NOT using File and Folder Encryption
BUT would buy within 2 years
High Risk
Currently NOT using File and Folder
Encryption and would NOT buy any
within 2 years
Continuous Protection
Currently using File and Folder Encryption
and would buy more within 2 years
Relaxed Protection
Currently using File and Folder Encryption BUT
WOULD NOT buy more within 2 years
6
SECUDE - US Full Disk Encryption Survey 2011
E-mail Encryption Vulnerability Segment:
Figure 3: Vulnerability Segmentation (E-Mail Encryption)
External Media Encryption Vulnerability Segment:
Figure 4: Vulnerability Segmentation (External Media Encryption)
11%
35% 42%
12%54%
CURRENTLY
AT RISK
Potential Enters
Currently NOT using E-mail
Encryption BUT would buy more
within 2 years
High Risk
Currently NOT using E-mail
Encryption and would NOT buy
more within 2 years
Continuous Protection
Currently using E-mail
Encryption and would buy
more within 2 years
Relaxed Protection
Currently using E-mail Encryption
BUT would NOT buy more within
2 years
10%
21% 48%
21%69%
CURRENTLY
AT RISK
Potential enters:
Currently NOT using External
Media Encryption BUT will buy
within 2 years
High Risk
Currently NOT using External
Media Encryption and would
NOT buy within 2 years
Continuous Protection
Currently using External Media
Encryption and would buy more
within 2 years
Relaxed Protection
Currently using External Media
Encryption BUT would NOT buy
more within 2 years
7
SECUDE - US Full Disk Encryption Survey 2011
What Organizations Are Looking For:
All participants were asked to rate how important every feature is for them when choosing a Full
Disk Encryption solution for their organization. They rated based on a 7-point scale that ranged from
‘Not at all important’ to ‘Extremely important’.
Surprisingly, the study found that IT security solution users in the US tend to value core benefits or
features that involve day-to-day interaction (red dot circle - - - -). This finding is in contrast to the
benefits and features that are marketed extensively, such as easy management and additional
security layers that IT security vendors promote.
The following charts highlight usage preferences under the categories:
GENERAL IMAGE
USABILITY
PERFORMANCE
33%
26%
27%
13%
34%
14%
16%
10%
0% 20% 40% 60% 80% 100%
Price/ Good value for money
Certifications (FIPS, Common criteria)
Vendor image/ knowledge
Existing relationship with vendor
Very important Extremely important
27%
33%
35%
19%
14%
25%
39%
16%
0% 20% 40% 60% 80% 100%
Flexible authentication mechanisms
Single sign-on to operating system
Transparency to end-user (little/ no user …
Offline helpdesk
Very important Extremely important
32%
22%
23%
44%
19%
14%
0% 20% 40% 60% 80% 100%
Low performance impact in day to day use
Ability to use the system during initial encryption
Quick initial encryption
Very important Extremely important
8
SECUDE - US Full Disk Encryption Survey 2011
SECURITY
MANAGEMENT
Recommendation
Enterprises are aware of the options available to protect data but few have taken the necessary
steps in the area of Full Disk Encryption. While some have taken this step, an alarming number of
enterprises have not encrypted their laptops and may potentially suffer from a breach when those
laptops are lost or stolen, This will inevitability lead to damage to their brand and reputation as well
as fines and lawsuits which may be in the millions of dollars whether or not there was any harm
done with the lost data. In order to protect corporate data and to comply with legislation in many
states, companies should review their security policies and take the basic first step of encrypting
their laptops through Full Disk Encryption.
29%
33%
30%
10%
24%
13%
0% 20% 40% 60% 80% 100%
Two-factor authentication
Secure Wipe/ Delete/ Erase
Support Self-Encrypting Drives
Very important Extremely important
30%
28%
31%
18%
20%
25%
20%
11%
0% 20% 40% 60% 80% 100%
Reporting and auditing
Central management console
Remote deployment and configuration
Integration into third party management consoles
Very important Extremely important
9
SECUDE - US Full Disk Encryption Survey 2011
Appendix
RESPONDENTS’ PROFILES
Slightly more than half (51%) of the participants were from organizations with more than 1,000
employees.
Organization size (%)
1 - 50 employees 13%
51 - 200 employees 22%
201 - 500 employees 8%
501 - 1,000 employees 6%
1,001 - 5,000 employees 20%
5,001 - 10,000 employees 5%
10,001+ employees 26%
Nevertheless, more than half (59%) of them were working in industries that dealt with massive
personal records or required strong information security.
Vertical Industry (%)
Information Technology 21%
Manufacturing & Construction 11%
Finance/ Insurance 12%
Education 12%
Services 10%
Healthcare 8%
Government Dept/ Agency 6%
Aerospace/ Defense/ Transportation 8%
Utility/ Energy 3%
Consumer Goods 3%
Others 5%
10
SECUDE - US Full Disk Encryption Survey 2011
SYSTEM PROFILES
In the United States, Dell is the most popular laptop brand being used following by HP and IBM.
Nearly one third of the companies use Apple.
Popular Laptop Brands (%)
Dell 74%
HP 47%
IBM/Lenovo 45%
Apple 33%
Toshiba 13%
Sony 8%
Acer 5%
Windows 7 and Windows XP are the two most popular operating systems.
Operating Systems (%)
Windows 7 88%
Windows XP 88%
Windows Vista 23%
Windows 2000 18%
Linux flavor 35%
Mac OS X Leopard 18%
Mac OS X Snow Leopard 26%
OSX Lion 20%
Unix flavor 28%
11
SECUDE - US Full Disk Encryption Survey 2011
About SECUDE
SECUDE is an innovative global provider of IT data protection solutions.
The company was founded in 1996 as collaboration between SAP AG and the Fraunhofer Institute
in Germany to develop security solutions.
In early 2011, SECUDE sold its business application security solutions to SAP AG in order to
refocus on the core competencies - Endpoint Security. SECUDE helps customers to protect their
sensitive data against loss and theft and as well as to keep compliance to various laws and
industry regulations.
Since December 2011, SECUDE is member of the SAP® PartnerEdge™ program and Value Added
Reseller (VAR) channel partner of SAP Deutschland AG & Co. KG and since February 2012 also
channel partner of SAP (Schweiz) AG. As an SAP VAR, SECUDE offers customers sale of licenses
as well consulting and implementation services of SAP NetWeaver® Single Sign-On, besides its
own solution portfolio.
Today the SECUDE employs over 75 qualified staff and has the trust of a large number of Fortune
500 companies including many of the DAX-listed companies.
SECUDE has offices in Europe, North America and Asia.
For further information please visit www.secude.com and/or contact us on [email protected]
SECUDE AG
Bergegg 1
6376 Emmetten, NW
Switzerland
Phone: +41 (0) 44 575 1900
Fax : +41 (0) 44 575 1975
Copyright SECUDE AG 2012
SECUDE is a registered trademark of SECUDE AG. Microsoft is a registered trademark of the Microsoft Corporation. Other
product and company names mentioned herein serve for clarification purposes and may be trademarks of their respective
owners.
Global SECUDE Locations
Germany | India | Switzerland | USA | Vietnam
RESEARCH DISCLAIMER
As with all survey research that involves humans, this research too has certain inherent limitations that need to
be considered before drawing inferences from the findings.
Non-Response: The findings of this survey are based on a finite number sample of survey responses.
Survey invitations were sent to a representative sample of IT and non-IT related business functions. Most
of the surveyed entities contributed qualified responses.
Sampling-Frame: Accuracy of the survey is based on valid contact information and the percentage of IT and
non-IT representatives across business disciplines. The results may be biased by external events. As
SECUDE conducted the survey over the Internet, it is possible that non-Web responses (mailed survey
responses or telephone calls) may have drawn different results.
Self-Reported Results: The quality of the survey is based on the integrity of confidential responses
received from respondents. Despite the incorporation of checks and balances in the process, it possible
that certain subjects may have provided untruthful or qualitatively incomplete responses.