Cloud data encryption still missed by 64 percent of organisations

1 min read

An "epidemic of security worst practices" has been revealed in a report by EKCM (enterprise key and certificate management) software firm Venafi reports and IT security research company Echelon One.

Their 2011 IT Security Best Practices Assessment shows that the majority of organisations are simply failing to adhere even to simple data protection standards – and, in some cases, are unaware of security practices in place. The assessment evaluated where organisations rank for 12 IT security and compliance best practices, ranging from how they use and manage encryption to how often they conduct security awareness and training programmes. First, more than three quarters (77%) fail to perform quarterly security and compliance training. Second, just under two thirds (64%) don't encrypt all cloud data and transactions, probably because Salesforce.com, Google Apps and other cloud applications do not encrypt by default. Third, 10% of companies still don't encrypt data business-wide, with Venafi observing that although the failure rate looks encouraging, failure to implement management technologies "can turn encryption into a liability by exposing keys that provide unrestricted access to seemingly secure data". Fourth, over half (55%) still don't have management processes in place to ensure business continuity in the event of a certificate authority (CA) compromise. And fifth, fully 82% fail to rotate SSH keys every 12 months in order to mitigate risks incurred by the average employee life cycle of two years. "The assessment findings were startling," comments Bob West, founder and CEO of Echelon One. "We suspected we would find that many organisations were challenged, but we had no idea that failure rates would run this high." West says the good news is that, with this information and self assessment, organisations can now see where they rank in comparison to peers, determine where weaknesses exist and identify steps to reduce security and compliance risks. "The biggest security struggle organisations face today is managing the unknown — aka the unquantified and unmanaged risks," comments Jeff Hudson, CEO of Venafi. "If this assessment demonstrates anything, it's that IT and security departments have got to gain greater visibility over all of their security and compliance activities, and take steps to better understand and manage them," he adds.