70% of UK Organisations Hit By Data Breach Incidents Within Last Twelve Months

PGP Corporation announced the results of the third annual study by The Ponemon Institute, identifying the steps UK organisations are taking in order to safeguard their confidential data. The 2009 Annual Study: UK. Enterprise Encryption Trends study, which polled IT security professionals at 615 enterprises and public sector organisations, found that 70% of UK organisations have been hit by at least one data breach incident within the last year, up from 60% in the previous year. 

The number of firms experiencing multiple breaches was also up, with 12% of respondents admitting to more than five data loss incidents in the twelve month period (up from 3%). Less than half of these breaches (43%) were publically announced; there was no legal or regulatory requirement to disclose the remaining 57% of incidents.   

The public sector experienced the highest number of data loss incidents in the last year, reporting an average of 4.48 breaches per organisation. Financial services firms were the next most likely to suffer data loss (an average of 3.11 incidents per year), followed by the education sector (2.74), healthcare and pharmaceutical firms (2.65) and the professional services industry (2.52). Faring better were the entertainment, media and defence sectors, none of which reported any data breaches.

Those organisations experiencing the highest number of data loss incidents were the least likely to have introduced a consistently enforced, company-wide strategy governing the use of data encryption technologies. Of the firms reporting more than five loss incidents, none had any kind of encryption strategy in place. In contrast, one third of those companies reporting no data loss incident had instigated an enterprise-wide encryption policy, with a further 36% having introduced a partial strategy to protect certain applications, departmental activities or data types (e.g. credit card numbers). 

In response to some high profile cases of lost and stolen laptops, together with the increased business use of smartphones, this year’s study also assessed organisational approaches to encrypting data held on mobile devices. While 51% responded that this was ‘very important’ or ‘important’, 34% of firms believe it is only sometimes necessary to encrypt the confidential data held on portable devices; 13% considered it completely unimportant. 

"While the number of breaches is growing, there is increasing appetite for solutions that can alleviate the costly and time consuming task of managing encryption keys across the whole of the organisation," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "On the whole, UK businesses are looking closely at platform-based encryption solutions – with built in key management capabilities – rather than point solutions supplied by multiple vendors. This doesn’t just make sense from a management or cost point of view. This study clearly illustrates that a unified approach reduces the risk of data loss."

Despite the rising number of data breaches, UK organisations are aware of the consequences of such incidents, with 61% of respondents stating that data protection played an ‘important’ or ‘very important’ role in an organisation’s overall risk management efforts. 46% felt encryption helped them meet privacy commitments and almost the same number (45%) believed encryption was a critical factor in protecting a company’s reputation. Of the regulations currently impacting firms’ approaches to data encryption, the EU Privacy Directive was considered the most influential, followed by Payment Card Industry (PCI DSS) requirements and then the UK Data Protection Directive. Only 10% singled out the Information Commissioner’s Office (ICO) as the most influential regulator impacting data encryption.

"It’s clear that UK organisations recognise the need to protect customer information and other valuable data assets, but while their intentions may be good, not all of them are doing everything it takes to make this a reality," said Phillip Dunkelberger, president and CEO of PGP Corporation. "This study underlines the critical importance of implementing an encryption strategy that encompasses all aspects of an organisation’s data, not to just meet privacy or data security regulations but to also protect against brand damage and loss of customer."

The study found that 57% of UK businesses are using some type of encryption solution in order to protect sensitive information, with the remaining 43% all currently planning to implement encryption technologies. Encryption is most widely used to protect the data held on file servers, Virtual Private Networks (VPN) and databases. VOIP and mainframe encryption are the least deployed applications.

Slightly more organisations (14%) are now using a single platform to deploy and manage encryption across multiple applications than in the previous twelve months (13%). Nearly all of those adopting this approach (90%) reported it enhanced the efficiency and effectiveness of their IT security procedures, while all platform users confirmed this approach improved the management of encryption keys. Key management is a major focus for UK businesses, accounting for 34% of all current spending on encryption. This expenditure is largely expected to deliver a return on investment, with 59% of respondents confident it will reduce the operational costs associated with data protection. A third of organisations are currently exploring the use of a single key management solution to cover their entire operations.

Recent research, also conducted by the Ponemon Institute, found that the average UK data breach costs a total of 1.7 million pounds Sterling; the equivalent of 60 pounds Sterling for every record compromised.

To get a copy of this study (you need to register)