Policies, processes and a "corporate ethos" of care of data are more important in securing sensitive information than using encryption technology.
Encryption has been back in the spotlight following the HM Revenue & Customs data breach that led to two CDs containing unencrypted records of 25 million people on the child benefit database getting lost in the post.
But two-thirds of silicon.com's 12-strong CIO Jury IT user panel said technologies such as encryption need to be part of a more holistic approach to security that includes training for staff and strict enforcement of policies.
Nic Evans, European IT director for Key Equipment Finance, said: "More important is a corporate ethos of care of such data."
Encryption on its own can give a false sense of security, according to Florentin Albu, ICT manager for the European Organization for the Exploitation of Meteorological Satellites (EUMETSAT).
"However, when used in the context of an information management/information security framework, it can become an effective way to mitigate certain corporate data risks. Even so, it would be just one piece of the jigsaw--you need to combine it with other technologies (authentication, authorization, etc.) and information management practices (data classification, data handling, etc.) in order to become effective," he said.
Even with encryption technology there are weaknesses that could lead to data being compromised. Steve Clarke, director of systems and operations, AOL Broadband, said: "Encrypted data still needs to be viewed, which means it must be unencrypted--giving rise to opportunities to store the data without its encryption. By implementing policy, processes, appropriate training and rigorous enforcement our data stands a chance of remaining secure, but encryption alone is not the panacea."
James Findlay, head of ICT for the Maritime & Coastguard Agency, said: "Encryption only forms part of the solution. Organizations must have robust policies and processes in place to ensure the integrity of both data and systems."
Another survey by security company CheckPoint found just under half of IT chiefs have deployed encryption within their organizations.
But those in favor of greater use of encryption to secure data include Graham Yellowley, director of technology services for investment bank Mitsubishi UFJ Securities International.
He said: "This is a minimum requirement for securing any data, whether this be for internal or external dissemination. Encryption strength needs to be considered with at least 256-bit key encryption for real security."
Richard Steel, CIO for the London Borough of Newham, added that encryption should be used "where the data must be mobile, and combined with two-factor authenticated access".
Andy McCue of Silicon.com reported from London.
Play video
There are currently no comments for this post.