In April, PGP issued the results of a survey of nearly 650 UK-based IT and business managers, analysts and executives, in which it had asked them about their usage of encryption.
In one respect, the findings looked positive. The number who said they were using encryption to comply with regulations had gone up from 17% in 2007 to 58%. The number who said they had an encryption strategy applied consistently across the organisation was lower – at 15% – but it was an improvement from 9% the year before.
Looked at another way, however, it meant that 42% still have no encryption whatsoever, and 85 % still have no clear strategy for implementing encryption across the enterprise. In other words, the results show little real planning in the introduction of encryption and suggest that most usage is done mainly to fix a single problem or satisfy some compliance requirement.
So what is it about encryption that makes companies avoid doing it? Ian Kilpatrick, managing director of distributor Wick Hill, says part of the problem is outdated views of how encryption works. "Encryption used to be incredibly complex, it used to eat resources, it was difficult to manage and you also worried about how to get people to buy into it," he says. "For many people who have been in IT for a while that is how they view it. They think it will degrade the performance of their machines, and hamper the way they work. Ten, maybe five, years ago that was true, but not any more."
David Tomlinson, head of Data Encryption Systems, agrees and says he still gets questions from prospective customers about performance and complexity, adding that people are often surprised to see how easy the systems are to use now.
The greater interest has been fuelled by a range of factors, according to Geoffrey Finlay, chief executive of nCipher. "We have reached an inflection point in the industry caused by a combination of market dynamics, involving compliance, an increased threat, and the need for better risk mitigation. The concerned individuals at the top of companies are at risk, and we are seeing the CFO as particularly vulnerable."
Hence the new-found interest in encryption. Kilpatrick, whose company handles products from Utimaco and Pointsec, says the technology has improved immensely in the last few years, and that he has done the equivalent of six months' business in the last three months.
"In other areas of software, you tend to get bloatware, but encryption software is more efficient, runs in background cycles and uses a better set of algorithms," he said. " It is also much easier to manage. Unified encryption management allows you to manage multiple types of encryption from one central point. So you are not using point solutions to do your network, your network-attached storage, or your USB ports, which can be clunky."
But as Tomlinson insists, encryption is not just about buying a product and installing it. A proper strategy is required to make it work right across the enterprise. "Full disk encryption on your laptop lets you do something stupid with your information – such as leaving it in a pub or taxi," he says. "Granular encryption – being able to encrypt information on or off the computer, in the cloud, on an FTP server, being emailed or burnt to disk and given to a courier - allows you to do something clever. It allows you to move the information around and share it securely. It means you still have all the rich communications mechanisms we have developed, but do them securely. And those are the kind of things people are asking about now."
The technology also has to be easy to use, and not seen as a barrier to users getting their work done. According to Volker Scheidemann, head of product management at Applied Security: "Any internal encryption solution must be fully accepted by users and must not present a new barrier to their day-to-day business. The user should not notice the encryption process at all because there is no need to initiate the process manually. Nor should the user need to determine what data to encrypt as the process is automatic."
Scheidemann also recommends a separation of duties between the system administrator and the security officer, so that policies cannot be altered by one person.
Fortunately, most modern systems mask the complexity of the underlying algorithms, and modern processors can cope with the extra processing involved, and the wider use of user directories makes it easier to manage keys.
"There are even few reasons now not to use encryption," says Kilpatrick. "Once you set up Active Directory, you have management of access rights and user rights. You don't have to run around every time someone changes their job title or leaves the company. It all happens as a background job. You're institutionalising security."