survey: how companies are securing critical data

SECUDE - US Full Disk Encryption

2011 Survey

Publication: March 2012

2

SECUDE - US Full Disk Encryption Survey 2011

Executive Summary

The incredible growth of Information Technology over the last few decades has led to an

explosion of corporate data spread throughout an organization on corporate servers,

mobile devices, and increasingly on cloud based systems that may be managed by third

parties. In many cases, this is sensitive information and there is the potential for

corporate data to be compromised. The question is how to maintain control on this data

so that it is safe from potential abuse.

SECUDE, a global provider of IT data protection solutions, conducted a nationwide

survey in the United States in November 2011. The survey covered 209 participants

across various organizations. Eighty-eight percent of the participants were IT

practitioners.

The other participants included non-IT business executives (8%) and other non-IT

business roles (4%).

This research focused on the current status of data encryption technology application

across organizations and user perception towards Full Disk Encryption (FDE) solutions.

The comprehensive survey revealed the following facts:

Fifteen percent of the organizations surveyed do not use any type of encryption

solution in their systems.

o Eighty-seven out of the 209 respondents surveyed stated that their

organizations have not implemented FDE technology. Around 60% of

them do not plan to implement it for the next two years.

Sixty-three percent of the participants stated that their organizations were using

at least two encryption technologies to protect their critical data.

The top two encryption technologies used in the surveyed organizations are Full

Disk Encryption (58%) and E-mail Encryption (46%).

FDE solution users prefer solutions that require less effort in everyday use,

such as:

o Low performance impact on computer system resources

o Transparency to end users

IT Executives such as CIOs,

CTOs, Directors, and VPs

18%

IT Managers 15%

IT technical staff or relevant 54%

http://www.secude.com/

3


Table of Content

Executive Summary 2

Key Findings 4 Future Adoption of Encryption Technologies 4 Full Disk Encryption Vulnerability Segment 5 File and Folder Encryption Vulnerability Segment 5 E-mail Encryption Vulnerability Segment 6 External Media Encryption Vulnerability Segment 6 What Organizations Are Looking For 7

Recommendation 8

Appendix 9 RESPONDENTS’ PROFILES 9 SYSTEM PROFILES 10

About SECUDE 11

Global SECUDE Locations 11

4


Key Findings

Current Adoption of Encryption Technologies: About 15% of the organizations

surveyed do not use any type of encryption solution listed in Table 1. The chart below highlights

encryption technology adoption.

Table 1: Encryption Technology Adoption

Future Adoption of Encryption Technologies: Full Disk Encryption will be the form of

encryption technology that would be adopted most over the next two years, followed by external

media encryption. The chart below depicts the percentage of encryption technology adoption.

Table 2: Technology Adoption Percentage

15%

25%

31%

33%

39%

46%

58%

0% 10% 20% 30% 40% 50% 60% 70%

None of the above encryption technologies

Database encryption

External media encryption

File/ Folder encryption

Network traffic encryption

Email encryption

Full disk encryption

21%

31%

25%

20%

22%

41%

0% 10% 20% 30% 40% 50% 60% 70%

Database encryption

External media encryption

File/ Folder encryption

Network traffic encryption

Email encryption

Full disk encryption

5


Full Disk Encryption Vulnerability Segment: Forty-two percent of the surveyed

respondents stated that their organizations have not implemented Full Disk Encryption technology.

Around 60% of them do not plan to implement it for the next two years.

Figure 1: Vulnerability Segmentation (Full Disk Encryption)

File and Folder Encryption Vulnerability Segment: The survey reveals that US

organizations might have a high possibility of a data breach incident at the file and folder layer. Over

55% participants revealed that their organizations did not pay much attention to this security area.

Figure 2: Vulnerability Segmentation (File and Folder Encryption)

25%

33%

16%

25%

42%

CURRENTLY

AT RISK

Potential Enters

Currently NOT using

FDE but would BUY

within 2 years

High Risk

Currently NOT using

FDE and would NOT buy

any within 2 years

Continuous Protection

Currently using FDE and

would buy more within

2 years

Relaxed Protection

Currently using FDE

BUT WOULD NOT buy

more within 2 years

13%

20% 56%

11%67%

CURRENTLY

AT RISK

Potential Enters

Currently NOT using File and Folder Encryption

BUT would buy within 2 years

High Risk

Currently NOT using File and Folder

Encryption and would NOT buy any

within 2 years


Currently using File and Folder Encryption

and would buy more within 2 years

Relaxed Protection

Currently using File and Folder Encryption BUT

WOULD NOT buy more within 2 years

6


E-mail Encryption Vulnerability Segment:

Figure 3: Vulnerability Segmentation (E-Mail Encryption)

External Media Encryption Vulnerability Segment:

Figure 4: Vulnerability Segmentation (External Media Encryption)

11%

35% 42%

12%54%

CURRENTLY

AT RISK

Potential Enters

Currently NOT using E-mail

Encryption BUT would buy more

within 2 years

High Risk

Currently NOT using E-mail

Encryption and would NOT buy

more within 2 years


Currently using E-mail

Encryption and would buy

more within 2 years

Relaxed Protection

Currently using E-mail Encryption

BUT would NOT buy more within

2 years

10%

21% 48%

21%69%

CURRENTLY

AT RISK

Potential enters:

Currently NOT using External

Media Encryption BUT will buy

within 2 years

High Risk

Currently NOT using External

Media Encryption and would

NOT buy within 2 years


Currently using External Media

Encryption and would buy more

within 2 years

Relaxed Protection

Currently using External Media

Encryption BUT would NOT buy

more within 2 years

7


What Organizations Are Looking For:

All participants were asked to rate how important every feature is for them when choosing a Full

Disk Encryption solution for their organization. They rated based on a 7-point scale that ranged from

‘Not at all important’ to ‘Extremely important’.

Surprisingly, the study found that IT security solution users in the US tend to value core benefits or

features that involve day-to-day interaction (red dot circle - - - -). This finding is in contrast to the

benefits and features that are marketed extensively, such as easy management and additional

security layers that IT security vendors promote.

The following charts highlight usage preferences under the categories:

GENERAL IMAGE

USABILITY

PERFORMANCE

33%

26%

27%

13%

34%

14%

16%

10%

0% 20% 40% 60% 80% 100%

Price/ Good value for money

Certifications (FIPS, Common criteria)

Vendor image/ knowledge

Existing relationship with vendor

Very important Extremely important

27%

33%

35%

19%

14%

25%

39%

16%

0% 20% 40% 60% 80% 100%

Flexible authentication mechanisms

Single sign-on to operating system

Transparency to end-user (little/ no user …

Offline helpdesk


32%

22%

23%

44%

19%

14%

0% 20% 40% 60% 80% 100%

Low performance impact in day to day use

Ability to use the system during initial encryption

Quick initial encryption


8


SECURITY

MANAGEMENT

Recommendation

Enterprises are aware of the options available to protect data but few have taken the necessary

steps in the area of Full Disk Encryption. While some have taken this step, an alarming number of

enterprises have not encrypted their laptops and may potentially suffer from a breach when those

laptops are lost or stolen, This will inevitability lead to damage to their brand and reputation as well

as fines and lawsuits which may be in the millions of dollars whether or not there was any harm

done with the lost data. In order to protect corporate data and to comply with legislation in many

states, companies should review their security policies and take the basic first step of encrypting

their laptops through Full Disk Encryption.

29%

33%

30%

10%

24%

13%

0% 20% 40% 60% 80% 100%

Two-factor authentication

Secure Wipe/ Delete/ Erase

Support Self-Encrypting Drives


30%

28%

31%

18%

20%

25%

20%

11%

0% 20% 40% 60% 80% 100%

Reporting and auditing

Central management console

Remote deployment and configuration

Integration into third party management consoles


9


Appendix

RESPONDENTS’ PROFILES

Slightly more than half (51%) of the participants were from organizations with more than 1,000

employees.

Organization size (%)

1 - 50 employees 13%



501 - 1,000 employees 6%

1,001 - 5,000 employees 20%

5,001 - 10,000 employees 5%

10,001+ employees 26%

Nevertheless, more than half (59%) of them were working in industries that dealt with massive

personal records or required strong information security.

Vertical Industry (%)

Information Technology 21%

Manufacturing & Construction 11%

Finance/ Insurance 12%

Education 12%

Services 10%

Healthcare 8%

Government Dept/ Agency 6%

Aerospace/ Defense/ Transportation 8%

Utility/ Energy 3%

Consumer Goods 3%

Others 5%

10


SYSTEM PROFILES

In the United States, Dell is the most popular laptop brand being used following by HP and IBM.

Nearly one third of the companies use Apple.

Popular Laptop Brands (%)

Dell 74%

HP 47%

IBM/Lenovo 45%

Apple 33%

Toshiba 13%

Sony 8%

Acer 5%

Windows 7 and Windows XP are the two most popular operating systems.

Operating Systems (%)

Windows 7 88%

Windows XP 88%

Windows Vista 23%

Windows 2000 18%

Linux flavor 35%

Mac OS X Leopard 18%

Mac OS X Snow Leopard 26%

OSX Lion 20%

Unix flavor 28%

11


About SECUDE

SECUDE is an innovative global provider of IT data protection solutions.

The company was founded in 1996 as collaboration between SAP AG and the Fraunhofer Institute

in Germany to develop security solutions.

In early 2011, SECUDE sold its business application security solutions to SAP AG in order to

refocus on the core competencies - Endpoint Security. SECUDE helps customers to protect their

sensitive data against loss and theft and as well as to keep compliance to various laws and

industry regulations.

Since December 2011, SECUDE is member of the SAP® PartnerEdge™ program and Value Added

Reseller (VAR) channel partner of SAP Deutschland AG & Co. KG and since February 2012 also

channel partner of SAP (Schweiz) AG. As an SAP VAR, SECUDE offers customers sale of licenses

as well consulting and implementation services of SAP NetWeaver® Single Sign-On, besides its

own solution portfolio.

Today the SECUDE employs over 75 qualified staff and has the trust of a large number of Fortune

500 companies including many of the DAX-listed companies.

SECUDE has offices in Europe, North America and Asia.

For further information please visit www.secude.com and/or contact us on [email protected]

SECUDE AG

Bergegg 1

6376 Emmetten, NW

Switzerland

Phone: +41 (0) 44 575 1900

Fax : +41 (0) 44 575 1975

Copyright SECUDE AG 2012

SECUDE is a registered trademark of SECUDE AG. Microsoft is a registered trademark of the Microsoft Corporation. Other

product and company names mentioned herein serve for clarification purposes and may be trademarks of their respective

owners.

Global SECUDE Locations

Germany | India | Switzerland | USA | Vietnam

RESEARCH DISCLAIMER

As with all survey research that involves humans, this research too has certain inherent limitations that need to

be considered before drawing inferences from the findings.

Non-Response: The findings of this survey are based on a finite number sample of survey responses.

Survey invitations were sent to a representative sample of IT and non-IT related business functions. Most

of the surveyed entities contributed qualified responses.

Sampling-Frame: Accuracy of the survey is based on valid contact information and the percentage of IT and

non-IT representatives across business disciplines. The results may be biased by external events. As

SECUDE conducted the survey over the Internet, it is possible that non-Web responses (mailed survey

responses or telephone calls) may have drawn different results.

Self-Reported Results: The quality of the survey is based on the integrity of confidential responses

received from respondents. Despite the incorporation of checks and balances in the process, it possible

that certain subjects may have provided untruthful or qualitatively incomplete responses.

http://www.secude.com/

mailto:[email protected]