Ponemon-Symantec Report: Compliance Is Biggest Encryption Driver

Regulatory compliance has moved up as the primary driver for encryption in the United States, according to a Ponemon Institute-Symantec report, moving ahead of data breach mitigation. The fifth annual U.S. Enterprise Encryption Trends report also reported a rise in the number of organizations that have experienced more than five breaches.

In the 2010 study of 964 U.S.-based IT managers and executives, 69 percent of the respondents cited compliance as a primary driver for adopting encryption, up five points over 2009. Mitigating data breaches, the previous leading driver, was cited a primary reason by 63 percent of the respondents, a drop of 4 percentage points over the previous year.

"The issue of compliance has become more important to practitioners," said Larry Ponemon, chairman and founder. "We don't know if it's a blip with HITECH and the HIPAA expansion to business associates, PCI DSS, or various state laws such as Massachusetts, but it seems to be more important, especially around mobile devices, such as laptops." PCI has shown the most dramatic increase as a reason for encryption over the years, rising from 15 percent in 2007 to 69 percent.

Most of the respondents - 88 percent - said their organizations had experienced at least one data breach, but only one category--those that reported more than five breaches--increased, up 3 percent to 25 percent.

The most dramatic change over last year's survey was the importance of encryption as part of the organization's risk management program. While most changes in responses year to year were measured in a few percentage points, nearly three-quarters of those surveyed said that data protection was a "very important" in their risk management program, a 12 percent jump."The fact that this category increased so much suggests that something in the environment convinces organizations this something they have to do," said Ponemon. "I think it's a regulatory issue, coupled with data breaches, that has cause management to focus on encryption."

Most of the organizations - 84 percent -- said they have either fully implemented or were in the process of implementing encryption technology. The most prevalent use case is server encryption, but the fastest-growing and second most implemented is whole disk encryption, underscoring a growing interest in laptop encryption. The previous surveys were conducted with PGP Corp., prior to its acquisition by Symantec in April.

More revealing than changes from last year is the upward trend in encryption in the years covered by the surveys. For example, compliance was cited in only 44 percent of the responses in 2006, 25 points below the 2010 figure. Two-thirds of the organizations said they have an overall encryption strategy, nearly double the percentage reported five years ago. Thirty-eight percent the organizations see encryption as a tool to improve brands, reputation and customer confidence, more than double the number over 2006.