In terms of overall security practice, well over half the organizations surveyed have formal management policies and procedures in place in all eight areas designated by the survey: change, patch, vulnerability, encryption key, IP address, server traffic, network and configuration management.
About half the respondents encrypt data for three potentially sensitive data types (customer, employee and transactional), and just over a third encrypt intellectual property data.
However, only a fifth of the companies encrypt data across all four information categories, according to the survey of 420 senior-level security managers in enterprises and government agencies, mostly in the United States, conducted by information security research firm Echelon One.
A quarter of the organizations said they only encrypt data required by regulation, such as Payment Card Industry (PCI), which covers credit card data. Two of five respondents said they encrypt data on mobile devices, reflecting regulatory requirements and rising security concerns over mobility.
More than a third of the respondents encrypt information in public and private clouds, while about a quarter don’t. But 40% said they did not know if they are encrypting data in the cloud, perhaps indicating the use of cloud services outside IT knowledge or control.