Press Release: 70% of UK Organisations Hit by One or More Data Breach Incidents within Last Twelve Months

Research from Ponemon Institute Reveals Company-wide Strategy Governing the Use of Data Encryption Technologies Reduces Risk of Breach

London / 8 July 2009 – PGP Corporation, a global leader in enterprise data protection, has announced the results of the third annual study by The Ponemon Institute, identifying the steps UK organisations are taking in order to safeguard their confidential data. The 2009 Annual Study: UK. Enterprise Encryption Trends study, which polled IT security professionals at 615 enterprises and public sector organisations, found that 70% of UK organisations have been hit by at least one data breach incident within the last year, up from 60% in the previous year. The number of firms experiencing multiple breaches was also up, with 12% of respondents admitting to more than five data loss incidents in the twelve month period (up from 3%). Less than half of these breaches (43%) were publically announced; there was no legal or regulatory requirement to disclose the remaining 57% of incidents.

The public sector experienced the highest number of data loss incidents in the last year; reporting an average of 4.48 breaches per organisation. Financial services firms were the next most likely to suffer data loss (an average of 3.11 incidents per year); followed by the education sector (2.74), healthcare and pharmaceutical firms (2.65) and the professional services industry (2.52). Faring better were the entertainment, media and defence sectors, none of which reported any data breaches.

Those organisations experiencing the highest number of data loss incidents were the least likely to have introduced a consistently enforced, company-wide strategy governing the use of data encryption technologies. Of the firms reporting more than five loss incidents, none had any kind of encryption strategy in place. In contrast, one third of those companies reporting no data loss incident had instigated an enterprise-wide encryption policy, with a further 36% having introduced a partial strategy to protect certain applications, departmental activities or data types (e.g. credit card numbers).

In response to some high profile cases of lost and stolen laptops, together with the increased business use of smartphones, this year’s study also assessed organisational approaches to encrypting data held on mobile devices. While 51% responded that this was ‘very important’ or ‘important’, 34% of firms believe it is only sometimes necessary to encrypt the confidential data held on portable devices; 13% considered it completely unimportant.

“While the number of breaches is growing, there is increasing appetite for solutions that can alleviate the costly and time consuming task of managing encryption keys across the whole of the organisation,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “On the whole, UK businesses are looking closely at platform-based encryption solutions – with built in key management capabilities – rather than point solutions supplied by multiple vendors. This doesn’t just make sense from a management or cost point of view. This study clearly illustrates that a unified approach reduces the risk of data loss.”

Despite the rising number of data breaches, UK organisations are aware of the consequences of such incidents, with 61% of respondents stating that data protection played an ‘important’ or ‘very important’ role in an organisation’s overall risk management efforts. 46% felt encryption helped them meet privacy commitments and almost the same number (45%) believed encryption was a critical factor in protecting a company’s reputation. Of the regulations currently impacting firms’ approaches to data encryption, the EU Privacy Directive was considered the most influential, followed by Payment Card Industry (PCI DSS) requirements and then the UK Data Protection Directive. Only 10% singled out the Information Commissioner’s Office (ICO) as the most influential regulator impacting data encryption.

“It’s clear that UK organisations recognise the need to protect customer information and other valuable data assets, but while their intentions may be good, not all of them are doing everything it takes to make this a reality,” said Phillip Dunkelberger, president and CEO of PGP Corporation. “This study underlines the critical importance of implementing an encryption strategy that encompasses all aspects of an organisation’s data, not to just meet privacy or data security regulations but to also protect against brand damage and loss of customer."

The study found that 57% of UK businesses are using some type of encryption solution in order to protect sensitive information, with the remaining 43% all currently planning to implement encryption technologies. Encryption is most widely used to protect the data held on file servers, Virtual Private Networks (VPN) and databases. VOIP and mainframe encryption are the least deployed applications.

Slightly more organisations (14%) are now using a single platform to deploy and manage encryption across multiple applications than in the previous twelve months (13%). Nearly all of those adopting this approach (90%) reported it enhanced the efficiency and effectiveness of their IT security procedures, while all platform users confirmed this approach improved the management of encryption keys. Key management is a major focus for UK businesses, accounting for 34% of all current spending on encryption. This expenditure is largely expected to deliver a return on investment, with 59% of respondents confident it will reduce the operational costs associated with data protection. A third of organisations are currently exploring the use of a single key management solution to cover their entire operations.

Recent research, also conducted by the Ponemon Institute, found that the average UK data breach costs a total of £1.7 million; the equivalent of £60 for every record compromised.

For more information or to receive a copy of this study, visit: www.encryptionreports.com.

About The Ponemon Institute
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organisations in a variety of industries.

About PGP Corporation
PGP Corporation is a global leader in email and data encryption software for enterprise data protection. Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP® platform-enabled applications allow organisations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, smartphones, network storage, file transfers, automated processes, and backups.

PGP® solutions are used by more than 100,000 enterprises, businesses, and governments worldwide, including 95 percent of the Fortune 100, 75 percent of the Fortune Global 100, 87 percent of the German DAX Index, and 51 percent of the UK FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies’ brands and reputations. Contact PGP Corporation at www.pgp.com

Media & Analyst Contacts for PGP Corporation:
Claire Ayles / Ben Roberts
Johnson King
+44 (0) 20 7401 7968
pgpteam@johnsonking.co.uk

Legal Notice Regarding Forward-Looking Statements
Some of the statements in this press release are forward-looking, including statements regarding the availability, plans, delivery, goals, development, expected features, expected benefits and competitive position of PGP products implementing or leveraging the PGP technologies. All references made to product feature enhancements, improvements in Platform support or additional functionality are subject to change at PGP Corporation’s sole discretion. All future descriptions of PGP technology and products are subject to availability only if PGP Corporation decides to build them and when PGP Corporation decides to make them commercially available. Actual results could differ materially from those expressed in any forward-looking statements. Risks and uncertainties that PGP Corporation faces that could cause results to differ materially include risks associated with any unforeseen technical difficulties or software errors related to the final development and launch of any of PGP Corporation’s products; any technological, regulatory, or standards changes in the security, encryption and authentications market which could make PGP Corporation’s products less competitive or require feature changes in these products; any slowdown in the adoption by businesses of encryption suites, secure email, Internet technologies or related standard. The forward-looking statements contained in this release are made as of the date hereof, and PGP Corporation does not assume any obligation to update such statements nor the reasons why actual results could differ materially from those projected in such statements.

PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.