70% of UK organizations hit by a data breach in the past year

PGP Corporation announced the results of the third annual study by The Ponemon Institute, identifying the steps UK organizations are taking in order to safeguard their confidential data.

The 2009 Annual Study: UK. Enterprise Encryption Trends study, which polled IT security professionals at 615 enterprises and public sector organizations, found that 70% of UK organizations have been hit by at least one data breach incident within the last year, up from 60% in the previous year.

The number of firms experiencing multiple breaches was also up, with 12% of respondents admitting to more than five data loss incidents in the twelve month period (up from 3%). Less than half of these breaches (43%) were publicly announced; there was no legal or regulatory requirement to disclose the remaining 57% of incidents.

The public sector experienced the highest number of data loss incidents in the last year; reporting an average of 4.48 breaches per organization. Financial services firms were the next most likely to suffer data loss (an average of 3.11 incidents per year); followed by the education sector (2.74), healthcare and pharmaceutical firms (2.65) and the professional services industry (2.52). Faring better were the entertainment, media and defence sectors, none of which reported any data breaches.

Those organizations experiencing the highest number of data loss incidents were the least likely to have introduced a consistently enforced, company-wide strategy governing the use of data encryption technologies. Of the firms reporting more than five loss incidents, none had any kind of encryption strategy in place.

In contrast, one third of those companies reporting no data loss incident had instigated an enterprise-wide encryption policy, with a further 36% having introduced a partial strategy to protect certain applications, departmental activities or data types (e.g. credit card numbers).

In response to some high profile cases of lost and stolen laptops, together with the increased business use of smartphones, this year’s study also assessed organisational approaches to encrypting data held on mobile devices. While 51% responded that this was ‘very important’ or ‘important’, 34% of firms believe it is only sometimes necessary to encrypt the confidential data held on portable devices; 13% considered it completely unimportant.

Despite the rising number of data breaches, UK organizations are aware of the consequences of such incidents, with 61% of respondents stating that data protection played an ‘important’ or ‘very important’ role in an organisation’s overall risk management efforts. 46% felt encryption helped them meet privacy commitments and almost the same number (45%) believed encryption was a critical factor in protecting a company’s reputation. Of the regulations currently impacting firms’ approaches to data encryption, the EU Privacy Directive was considered the most influential, followed by Payment Card Industry (PCI DSS) requirements and then the UK Data Protection Directive. Only 10% singled out the Information Commissioner’s Office (ICO) as the most influential regulator impacting data encryption.

The study found that 57% of UK businesses are using some type of encryption solution in order to protect sensitive information, with the remaining 43% all currently planning to implement encryption technologies. Encryption is most widely used to protect the data held on file servers, VPN and databases. VOIP and mainframe encryption are the least deployed applications.

Slightly more organizations (14%) are now using a single platform to deploy and manage encryption across multiple applications than in the previous twelve months (13%). Nearly all of those adopting this approach (90%) reported it enhanced the efficiency and effectiveness of their IT security procedures, while all platform users confirmed this approach improved the management of encryption keys.

Key management is a major focus for UK businesses, accounting for 34% of all current spending on encryption. This expenditure is largely expected to deliver a return on investment, with 59% of respondents confident it will reduce the operational costs associated with data protection. A third of organizations are currently exploring the use of a single key management solution to cover their entire operations.

Recent research, also conducted by the Ponemon Institute, found that the average UK data breach costs a total of 1.7 million pounds Sterling; the equivalent of 60 pounds Sterling for every record compromised.