I read an article today regarding the 5 most ignored security best practices based on analysis of a survey across a sample of 420 organizations.  The top 5 reduce to 2:

1. users don’t instinctively follow security best practices
2. organizations are not good at key management

As usual, we look at these findings through the lens of SharePoint security concerns and confidential information in SharePoint sites. SharePoint end-user security awareness is a good thing but cannot be a single point of failure. SharePoint content encryption, when properly deployed and maintained, can be an effective control to address various security threats.

End-user training is a required component of any information security and compliance program. For example, users need to know how to recognize possible phishing attacks and to respond appropriately. Providing this training, however, does not relieve organizations from needing to deploy anti-virus and malware prevention technologies. The reality is some attacks will be successful and having automated technical controls is also a required component of an information security and compliance program.

Encryption is a technology that organizations are increasingly viewing as a critical automated control. Historically, however, many key management functions are not automated so even though organizations should rotate keys every year, they don’t. CipherPoint has many decades of encryption key management experience and we recognize the common failures of existing encryption solutions and how organizations adopt them. Our CipherPointKM includes patent-pending technology that automates key management and eliminates frequent pitfalls associated with encryption and with common operations such as backup and restore.

Mike