The Importance of Being Encrypted

A study conducted by Forrester Consulting, "The State of Data Security in North America", which was commissioned RSA, shows that in many companies encryption and key management programs are under developed. Mobile access to data and collaboration with partners are on the top of executives minds. A previous report by the Ponemon Institute found that while 66% of enterprises use some type of encryption, only 16% have a strategy.
These lack of cohesive enterprise encryption strategies are not particularly surprising when viewed against the back drop of data exposures in the last few years. According to the research on etiolated.org, which indexes attrition.org Dataloss database, estimates that 76,560,425 personal information records have been exposed this year alone. Since 2003 with California SB1386 was enacted as a state law requiring user notification of data breaches, the number of reported incidents has been steadily increasing.
The survey shows that the cost of encryption software and lack of a compelling business driver are the major hindrances to encryption use. Those two issue point to the ineffectiveness of current legislation to assess fines against companies that have exposed personal data. Encrytpion software is expensive to purchase and deploy and there is no conventional return on investment. Encryption is a sunk cost and the driver is avoiding exorbitant fines and the cost of lost business. With the exception of Cardsystems which was almost shut down for violating Visa PCI, the loss of private information is comparatively low. Without an associated cost to data loss, it's simply cheaper to assume the risk and do nothing than protect users data.
Respondents said the biggest operational problem is key management which includes key distribution, recovery, roll-over, and escrow, faced by organizations. As Jordan Wiens and Steve Hill pointed out in "Analysis: Enterprise Key Management", with no standards in place for key management, each encryption product becomes an island unto itself. Organizations that want to encrypt data on desktops, back-up tapes, and mobile devices will likely have three different products with three different key managers.
Foresters recommendations are good advice, you need a plan for data governance which includes classification of your data. You need to determine what data needs to be encrypted. And you need to find a vendor, or set of vendors, that addresses your needs.