Backup encryption failures leave data in peril

Potentially sensitive corporate data is being placed unnecessarily at risk because less than a quarter of companies currently encrypt their backup tapes, newly published research has claimed.

According to security firm DISUK's global Paranoia Audit 2005, there is "markedly less paranoia worldwide than might be considered healthy to ensure rigorous data security." Only 34 percent of respondents said that their corporate security policy included backup encryption, and only 23 percent said that it was actually taking place.

However, of the non-encrypting 77 percent, more than 46 percent indicated that they plan to incorporate encryption in the future. But, overall, this still leaves almost one in six firms with no plans to encrypt backup tapes any time soon, the study found.

Of the encrypting minority, encryption software is used by more than half, with the remainder split between backup/archiving software and encryption appliances, reinforcing the interpretation that there is no standard approach to the issue.

Jon Toigo, CEO of Toigo Partners International, a consumer-focused IT consulting firm, and founder of the Data Management Institute, an online community for data managers, said: "There is so much hype and misinformation around storage security that the very rudimentary requirements, like encrypting backup tapes that are headed off premise to a backup center or off site storage facility, are too often being missed."

"It shouldn't take the threat of regulatory or legal actions for companies to appreciate the need to safeguard their most irreplaceable asset: data," he added.

A lack of a standard approach to data security was uncovered in the report, which highlighted a lack of consistency and uncertainty over precisely with whom, within organizations, responsibility lies. Less than one in five respondents cited the storage manager, with the security manager named by 41 percent.

Of more concern, responsibility was deemed to be shared between these two by 17 percent of respondents, while 9 percent admitted that responsibility was unclear and 2 percent replied that no one was responsible. This suggests that lines of responsibility are either unclear or non-existent in more than a quarter of organizations.

Paul Howard, managing director of DISUK, said the results are surprising given the spate of high-profile incidents during 2005 that involved the loss of backup tapes containing sensitive personal information: "At the time, these incidents served to highlight that millions of people are at daily risk of identity theft because data backed up to magnetic tape is unencrypted more often than not. Many organizations appear to have short memories or simply to think it won't happen to them."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.