The figures come from a study, which was commissioned by the information systems company Thales Group and carried...
out by California-based market research company Trust Catalyst. The research took feedback from 655 companies around the world, 45% of them in Europe.
It found that the top types of encryption being used were Web server encryption (77% of respondents), server-based file encryption (57%), desktop file encryption (56%), FTP file encryption (54%) and network link encryption (53%).
Database encryption, however, was used in only 43% of companies, and just 41% of respondents said they were encrypting backup tapes.
The main reasons for not introducing encryption were cost and complexity. The cost of the encryption tool was the prime cause in 26% of cases, followed by the cost of managing the encryption product.
Key management complexity also discouraged 24% from encrypting backup tapes. Some were worried about losing keys and not being able to access backup data, especially data that had been archived for a longer period. One in five respondents said it would take an actual data breach to trigger tape encryption in their organisations.
Commenting on this aspect, the report stated: "The likelihood of breaches and the costs to the business are only increasing. In our opinion, organisations that ship tapes must encrypt tapes."
One explanation for the uncertainty concerning key management lies in the answer the respondents gave to the question: "Where are your encryption keys stored?" Some said they stored keys in a high security module (HSM), others in a database, on a disk or on a USB device. But the majority of respondents -- in practically every category apart from Web server keys, full disk encryption keys and desktop file encryption -- admitted they had no idea where keys were kept.
The report's author is Kimberley Getgen, who before founding Trust Catalyst, worked for RSA, the security division of EMC, and then founded Reconnex Corp., a data leakage prevention company she sold to McAfee Inc. last year.
She concluded that "given the new regulatory climate, many organisations will need to ask themselves what will be worse -- paying for automated key management to overcome data availability fears, or losing customers in a [data] breach."
Getgen added that given the high potential cost of a data breach -- in term of fines, loss of reputation and the cost of informing those affected -- it was "no longer a sustainable risk management strategy" to postpone encryption decisions, especially for backup tapes.