CIOs: Encryption only part of data-security solution

Policies, processes and a "corporate ethos" of care of data are more important in securing sensitive information than using encryption technology.

Encryption has been back in the spotlight following the data breach at HM Revenue & Customs that led to two CDs containing unencrypted records of 25 million people on the child-benefit database getting lost in the post.

But two-thirds of a 12-strong CIO Jury IT user panel, brought together by ZDNet.co.uk's sister site silicon.com, said technologies such as encryption need to be part of a more holistic approach to security, including training for staff and strict enforcement of policies.

Nic Evans, European IT director for Key Equipment Finance, said: "More important is a corporate ethos of care of such data."

Encryption on its own can give a false sense of security, according to Florentin Albu, ICT manager for the European Organisation for the Exploitation of Meteorological Satellites (EUMETSAT).

"However, when used in the context of an information-management [or] information-security framework, it can become an effective way to mitigate certain corporate-data risks. Even so, it would be just one piece of the jigsaw; you need to combine it with other technologies — authentication, authorisation, et cetera — and information-management practices — data classification, data handling, et cetera — in order to become effective," Albu said.

Even with encryption technology, there are weaknesses that could lead to data being compromised. Steve Clarke, director of systems and operations at AOL Broadband, said: "Encrypted data still needs to be viewed, which means it must be unencrypted — giving rise to opportunities to store the data without its encryption. By implementing policy, processes, appropriate training and rigorous enforcement, our data stands a chance of remaining secure, but encryption alone is not the panacea."

James Findlay, head of ICT for the Maritime & Coastguard Agency, said: "Encryption only forms part of the solution. Organisations must have robust policies and processes in place to ensure the integrity of both data and systems."

Another survey by security company Check Point found that just under half of IT chiefs have deployed encryption within their organisations.

But those in favour of greater use of encryption to secure data included Graham Yellowley, director of technology services for investment bank Mitsubishi UFJ Securities International.

Yellowley said: "This is a minimum requirement for securing any data, whether this be for internal or external dissemination. Encryption strength needs to be considered, with at least 256-bit key encryption [needed] for real security."

Richard Steel, chief information officer for the London Borough of Newham, added that encryption should be used "where the data must be mobile, and [should be] combined with two-factor authenticated access".