IT managers are typically well aware of the importance of data encryption, especially when trying to secure laptops and PCs. But, according to a new survey of Canadian IT and business leaders, business managers might actually be taking this point too far.
The study — conducted by data security research firm Ponemon Institute LLC and sponsored by laptop theft protection vendor Absolute Software Corp. — found that 62 per cent of responding Canadian business managers said encryption makes other data security measures unnecessary and irrelevant. This compares to 44 per cent of surveyed Canadian IT leaders who answered the same way.
“It shows that there’s still a reliance on myth,” said Mike Spinney, senior privacy analyst with the Ponemon Institute. “Unfortunately, one of those myths is that technology is the magic wand that protects us from everything going on.”
The study, which surveyed 367 IT practitioners and 325 non-IT business managers from Canadian enterprises, also found that 52 per cent of responding Canadian business managers actually disengaged their PC’s encryption tools.
The study concluded that while business executives appear to overvalue encryption and its role to stop data breaches, many of them are actually hindering its effectiveness by improperly circumventing the technology, creating weak passwords, or using insecure wireless connections.
“(Business managers) have shown themselves to be hypocritical,” said Spinney. “They’re turning off the very thing they believe is going to be protecting them.”
For David Senf, director of the infrastructure solutions group at IDC Canada Ltd., the results highlight the extremely low understanding many business managers have about security threats and vulnerabilities.
“The fact that encryption shows up as something business managers feel is the ‘be-all-and-end-all’ to preventing data loss is absurd,” he said. “But it’s a reality that our data continues to show as well.”
Senf said that while encryption is an important and necessary tool to enterprise security, it’s absolutely not a complete defence strategy.
“You could call up one of these business managers, pretend you’re their IT department, get the password, and lo and behold, you now have access to their encrypted data,” he said. “Moreover, you could send an attachment to them that contains a keystroke logger and get the password that way. You would also get other information before it gets encrypted on the drive.”
Of course, IT managers who wants to drive their point home about the dangers of relying solely on encryption should avoid both of these methods if they want to stay out of trouble with the law and keep their jobs.
Instead, Senf said, IT leaders should focus on trying to educate business managers, with simple and easy-to-understand examples of the dangers of relying solely on encryption. This means that IT managers must also become marketers, trying to influence their business colleagues on security tactics, without going overboard and desensitizing them.
He added that it’s especially important to educate employees as they come into the organization, because it’s often difficult to change an employee’s habits once they are settled in.
Spinney pointed to effective awareness programs about workplace safety and sexual harassment as examples that could also be translated to IT security. Employees need to be aware of the consequences to themselves and their company if they turn off their encryption measures, he added.
