The Human Factor in Laptop Encryption: US Study Encryption is one of the most important security tools in the defense of information assets. Ponemon Institute has conducted numerous studies on organizations' use of encryption to prevent the loss of sensitive and confidential information. These studies have shown that encryption can be an effective deterrent. However, our studies also show that in order to be effective, encryption requires organizations and users to take appropriate steps to make sure sensitive and confidential information is protected as much as possible. Ponemon Institute conducted this study sponsored by Absolute Software on The Human Factor in Laptop Encryption to understand employees' perceptions about ensuring that information assets entrusted to their care are effectively managed in encryption environments, especially the use of whole disk encryption on laptop computers. The study also was conducted in the United Kingdom and Canada. The results are published in separate reports.What we learned is that a high percentage of employees we surveyed in non-IT business functions (referred to as business managers in this report) are not taking such precautionary steps as using complex passwords, not sharing passwords, using a privacy shield, keeping their laptop physically safe when traveling or locking their laptop to protect sensitive and confidential data. Further, many respondents believe that encrypted solutions make it unnecessary to take other security measures. In contrast, their colleagues in corporate IT and IT security functions (referred to as IT security practitioners in this report) are diligent in taking all or most precautionary steps to safeguard the sensitive and confidential information on their laptops. They believe encryption is an important security tool, but believe it is critical to follow certain procedures to ensure that data is protected if a laptop is lost or stolen. The following are some of the most salient findings:
We believe this research is particularly timely because previous studies conducted by Ponemon Institute have shown that the lost or stolen laptop is the number one cause of data loss. In this study we surveyed 720 IT security practitioners and 874 business managers from US-based organizations on the following topics related to their use of laptop encryption:
Key Findings Following are the key findings of this survey research. Please note that most of the results are displayed in a bar chart format. The actual data utilized in each figure and referenced in the paper can be found in the percentage frequency tables attached as Appendix I to this paper. A large number of employees in participating organizations have encryption solutions on their laptops .As shown in Bar Chart 1, 82% of IT security practitioners and 58% of business managers have employer-provided encryption solutions on their laptops. Bar Chart 1Does your organization provide laptop encryption? Each bar shows the percentage Yes response58%82%0%20%40%60%80%100%Business managersIT security practitionersBar Chart 2 reports the most widely-used encryption solutions deployed by organizations. They are: whole disk encryption for 41% of IT security practitioners and for 45% of business managers. This is followed by network or gateway encryption (36% IT and 34% business), file-based encryption (25% IT and 38% business) and encrypted backup device including thumb drive (20% IT and 29% business) .Bar Chart 2What encryption solutions are used to protect content on laptops? 0%15%24%29%34%38%45%3%9%18%20%36%25%41%0%5%10%15%20%25%30%35%40%45%50%Encryption chip (hardware)Encrypted thumb driveEmail encryptionEncrypted backup device including thumb driveNetwork or gateway encryptionFile-based encryptionWhole disk encryptionBusiness managersIT security practitionersPonemon Institute© Private & Confidential Document Page 3 Organizations often are not able to prove data on lost or stolen computers was encrypted. Bar Chart 3 reports that according to 92% of IT security practitioners, someone in their organization has had a laptop used for business purposes lost or stolen and 71% report that it resulted in a data breach for the organization. Only 45% report that their organization was able to prove the contents of the laptop were encrypted. Bar Chart 3Experience dealing with a lost laptop 17%39%79%83%61%21%45%71%92%55%29%8%0%10%20%30%40%50%60%70%80%90%100%If yes, was your organizationable to prove that thecontents of the laptop wereencrypted?If yes, did this result in a databreach for your organization?Has anyone in yourorganization ever had alaptop used for businesspurposes lost or stolen?Business managers say YesBusiness managers say No/UnsureIT security practitioners say YesIT security practitioners say No/UnsureThe above chart also shows that 79% of business managers report that someone in their organization had their laptop lost or stolen and 39% say it resulted in a data breach. Only 17% report that the organization was able to prove that the contents of the laptop were encrypted. There is slightly more confidence among business managers in the ability of encryption to protect the sensitive and confidential information that resides on their laptops. As shown in Bar Chart 4, 68% of business managers strongly agree or agree that encryption protects the information contained on their laptops and 60% of this same group strongly agree or agree it is not necessary to use other security solutions .Bar Chart 4Confidence in laptop encryption Each bar shows the combined percentage response for "agree" and "strongly agree"68%60%59%40%0%20%40%60%80%Encryption protects the information contained on mylaptop computer.Encryption makes it unnecessary to use other securitymeasures.Business managersIT security practitionersPonemon Institute© Private & Confidential Document Page 4 Fifty-nine percent of IT security practitioners strongly agree or agree that encryption protects the information contained on their laptops and 40% strongly agree or agree that encryption makes it unnecessary to use other security measures. Bar Chart 5Perceptions about encryption's ability to protect sensitive content Each bar shows the combined percentage response for "agree" and "strongly agree"61%66%46%39%0%10%20%30%40%50%60%70%Encryption of my laptop prevents the theft of myinformation by cyber criminals.I don't worry about losing my laptop because itscontents are encrypted.Business managersIT security practitionersThe gap in perceptions about the ability of encryption to protect information widens between these two groups when asked if encryption prevents theft by cyber criminals. As shown in Bar Chart 5, 52% of business managers strongly agree or agree with the statement that "encryption of my laptop prevents the theft of my information by cyber criminals" versus 46% of IT security practitioners who strongly agree or agree. Thirty-two percent of respondents in both groups are uncertain if encryption of their laptops prevents theft by cyber criminals. When asked if they would worry if they lost a laptop that was encrypted, 66% of business managers strongly agree or agree that they would not worry. However, only 39% of IT security practitioners would not worry. IT security practitioners believe there is a higher probability than business managers believe that a lost laptop or access to an insecure wireless network will result in data loss. Bar Chart 6What is the likelihood of occurrence? The percent of respondents who stated the probability of occurrence is less than 10%64%66%48%31%0%20%40%60%80%If you lost your laptop computer, what do you think is theprobability that someone else would be able to accessyour sensitive or confidential information?If you were accessing the Internet from an insecurewireless network, what do you think is the probabilitythat someone else would be able to access yoursensitive or confidential information assuming thelaptop computer had an encryption solution?Business managersIT security practitionersPonemon Institute© Private & Confidential Document Page 5 Bar Chart 6 reports that 64% of business managers versus 48% of IT security practitioners believe that there is zero or less than a 10% chance of someone having the ability to access sensitive and confidential information if they lost their laptop. Assuming their laptops are encrypted, 66% of business managers believe that there is no chance or less than a 10% chance of having their sensitive information accessed if they should access an insecure wireless network. In contrast, only 31% of IT security practitioners are confident that there would be zero or less than a 10% chance of losing data when accessing an insecure wireless network. Business managers put data at risk by not using encryption properly. As shown in Bar Chart 7, 48% of business managers admit to forgetting their laptop's encryption password. Bar Chart 7Did you ever forget your laptop's encryption password? Each bar shows the percentage Yes response32%58%48%0%100%3%0%20%40%60%80%100%120%If yes, the information on the laptop could not be accessedand was lost permanently.If yes, the help desk was able to recover my password orkey used to protect the dataQ12a. Did you ever forget your laptop computer'sencryption password?Business managersIT security practitionersFifty-eight percent were able to recover their password or key used to protect the data by contacting their organizations' help desk but 32% could not gain access and information was lost permanently. To manage their passwords, business managers circumvent security procedures. As shown in Bar Chart 8, 57% of these respondents record their password on a private document such as a post-it note to jog their memory (36%) or share the key with other individuals in case they forget the password (21%). Virtually none of the respondents from the IT security practitioners group record their password on a private document or share it with another person. Bar Chart 8How do you remember your encryption password? 21%36%2%42%0%0%9%91%0%20%40%60%80%100%I share the key with other individuals in case the password isforgotten.I record the password on a private document such as a post-itnote.Other manual or heuristic methodsThe key is programmed on my computer and is automaticallyloaded after fingerprint or password authentication.Business managersIT security practitionersPonemon Institute© Private & Confidential Document Page 6 Bar Chart 9 shows that 56% of business managers have disengaged their laptop's encryption solution. Only 20% of those who turned off the encryption solution believe that this practice is not in violation of their company's security policy and 32% are unsure. In contrast, only 25% of IT security practitioners have disengaged the encryption solution and 13% believe that this practice is not in violation of their company's security policy. Bar Chart 9Have you ever disengaged your laptop's encryption solution? Each bar shows the percentage Yes response56%20%25%13%0%10%20%30%40%50%60%Have you ever turned-off or disengaged your laptop'sencryption solution?If yes, does your company's security policy allow you toturn-off or disengage your laptop's encryption?Business managersIT security practitionersBusiness managers often don't take precautions and could be considered negligent in taking steps to safeguard the sensitive and confidential information on their laptops. In this study, we asked both business managers and IT security practitioners to respond to questions about typical laptop security procedures. Bar Chart 10 (below) compares these two groups in terms of their propensity to safeguard their laptop computers. As is shown, business managers may be putting their laptops at serious risk because of their tendency not to protect their passwords, to leave their laptops in unguarded situations and to access insecure wireless connections. Specifically, among business managers, only 17% always turn off their computers when not in use, 11% always use complex passwords or biometrics to prevent unauthorized access to their laptop, 17% always change passwords frequently, 39% never share their passwords, 9% never reuse the same passwords, 5% always use a privacy shield to prevent prying eyes, 3% always physically lock their computer to their desk. When traveling, 11% never leave their computer in an insecure or unattended location, 8% always place their laptop in the hotel safe, 11% never leave their laptop with a stranger, 23% never use an insecure wireless network, 37% always keep their anti-virus or malware software current and 40% always set their computer to hibernate if not attended in a very short period of time. It is uncertain if business managers' negligence, as evidenced by the above responses, is due to an over-reliance on encryption solutions. Although many in this group of respondents do believe that encryption is all that is needed to protect the information on their laptops. What is the conclusion here is that the human factor is the weakest link in any organizations' efforts to defend data at risk. The practices of IT security practitioners are the direct opposite of the business managers, Specifically, 44% always turn off their computers when not in use, 73% always use complex passwords or biometrics to prevent unauthorized access to their laptop, 78% always change passwords frequently, 96% never share their passwords, 90% never or rarely reuse the same passwords, 68% always use a privacy shield to prevent prying eyes. However, only 39% always lock their computer to their desk. Ponemon Institute© Private & Confidential Document Page 7 Bar Chart 10The human factor in laptop security Each bar is the percent of respondents who say that they take the following security precautions 17%11%17%39%9%5%3%11%8%40%11%23%37%44%73%78%96%68%68%39%78%46%84%79%90%93%0%10%20%30%40%50%60%70%80%90%100%I turn off my laptop when it is not in use.I use complex passwords or biometrics.I change passwords frequently.I do not share my password with anyone.I do not reuse the same password twice.I use a privacy shield to prevent prying eyes. I lock my computer to my desk.I don't leave my computer in insecure or unattended locations.When traveling, I place my laptop computer in the hotel safe.I set my computer to hibernate if not attended for a short period.I never ask other travelers to safeguard my laptop.I do not use an insecure wireless network.I keep my anti-virus or malware software current.Business managersIT security practitionersWhen traveling, 78% never leave their computer in an insecure or unattended location, 46% always place their laptop in the hotel safe, 79% never leave their laptop with a stranger, 90% never use an insecure wireless network and 93% always keep their anti-virus or malware software current and 84% always set their computer to hibernate if not attended in a very short period of time. Ponemon Institute© Private & Confidential Document Page 8 Comparisons of US, Canada and UK samples In addition to this US study, we completed concurrent surveys for IT security practitioners and business managers from organizations in Canada and the UK. 1 In all three countries, IT security practitioners face the same challenge of keeping sensitive and confidential information safeguarded in spite of the actions of business managers who may be relying on encryption to protect data and not following critical security procedures. There are significant gaps between the security practices of business managers and IT security practitioners in all three countries.Bar Chart 11 shows differences between business managers and IT security practitioners in the US, Canada and the United Kingdom about various attributions of encryption. In the US, there is slightly more of a gap between business managers and IT security practitioners in how worried respondents would be if an encrypted laptop was lost or stolen and prevention of cyber criminals from stealing information. Bar Chart 11Comparison of laptop encryption attributions for the US, Canada and UK Each bar represents the combined percentage of "Strongly Agree" and "Agree" responses59%64%40%18%17%64%58%42%21%19%65%59%45%23%22%68%39%60%45%44%60%32%61%42%37%60%35%68%48%43%0%10%20%30%40%50%60%70%80%Laptop encryption fullyprotects my information.Encryption is easy to use. Encryption makes othermeasures unnecessary.Encryption prevents theft bycyber criminals.Don't worry because mylaptop is encrypted.IT security USIT security CanadaIT security UKBusiness managers USBusiness managers CanadaBusiness managers UKThe most significant between-sample differences shown are in the perception that information contained on an encrypted laptop is protected. 1 The Canadian study included 348 business managers and 435 IT or IT security practitioners. The UK study involved 499 business managers and 645 IT security practitioners.Ponemon Institute© Private & Confidential Document Page 9 Line Chart 1 recasts the average results shown in the above bar chart to highlight the differences or gaps between the IT security practitioner and business manager samples in three countries. As can be seen, the gaps – defined as the average percentage response for business managers minus the average percent response for IT security practitioners – are remarkably consistent for all three countries. As can be seen, business managers are much more likely than IT security practitioners to:
Line Chart 1Difference in the perception of encryption among IT security practitioners and business managers in the US, Canada and UK, respectively GAP = the average percent response for business managers minus response for IT security-30%-20%-10%0%10%20%30%Laptop encryptionfully protects myinformation.Encryption is easyto use. Encryption makesother measuresunnecessary.Encryption preventstheft by cybercriminals.Don't worrybecause my laptopis encrypted.GAP for USGAP for CanadaGAP for UKIn contrast, IT security practitioners in the US, Canada and UK are much more likely than business managers to believe laptop encryptions solutions are easy to use. We believe the primary conclusion that can be drawn from this study is that business managers in all three countries are either negligent in the protection of sensitive and confidential information on their laptops or they may be overly dependent on encryption to keep this information secure. Encryption is an excellent security tool. However, if encryption is turned off, if passwords are shared or if other risks are taken, organizations that utilize encryption technologies alone to ensure the security of confidential information may not be well protected from the possibility of a data breach. Survey Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.
2 Respondents were given nominal compensation to complete all survey questions. Sample
from monu tripathi |
Contact me using vCita
Powered by vCita
Saturday, February 13, 2010
Subscribe to:
Post Comments (Atom)
Blog Archive
Links
About Me
- Monu Tripathi
- i am a simple boy who is struggling with his life to overcome his problem's. but in any situation i am always happy.
1 comment:
saale yeh kya likh rakha hai tune . blog likhta hai
Post a Comment