At Sophos, we believe you can never have enough encryption. Simply put, encryption is the best way to protect information from loss or theft, the last line of defense against cyberattacks and accidental data exposure.
And yet, we frequently hear about businesses that fail to encrypt their data, often after a devastating breach. Unfortunately, the state of data security today is poor – in 2014, 700 million records were compromised, according to the most recent Verizon Data Breach Investigations Report.
To find out why there are so many data security failures, we conducted a survey of 1,700 IT decision makers, covering six different countries and multiple industries. We asked them what types of data their organizations encrypt, and why they don’t always encrypt everywhere.
The results of our “The State of Encryption Today” survey are instructive, and give us a better understanding of where companies can do better.
Some of the most concerning findings of the survey reveal that, while many companies take the security of their customer data seriously, employees are not protected to the same level.
Private, highly sensitive employee data, including banking details, human resources (HR) files, and personal healthcare records, are frequently not protected by encryption.
For example, 31% of the companies we surveyed that store this type of data admitted that employee bank details are not always encrypted, and 43% don’t always encrypt employee HR records. Also, nearly half (47%) of those that store employee healthcare information fail to always encrypt these records.
While customer data breaches are the ones that get the biggest headlines, companies have an obligation – and may be legally required – to protect sensitive employee data. This is an area of data security that is far too often overlooked.
Company data remains at risk as well. Nearly one-third (30%) of organizations surveyed fail to always encrypt their own corporate financial information, and 41% inconsistently encrypts files containing valuable intellectual property, despite the increasing risks of economic espionage.
Another area of concern is that many organizations don’t recognize that the different types of encryption – full-disk and file encryption – are not and should not be mutually exclusive.
Although full-disk encryption is critical in cases of lost or stolen devices, it doesn’t protect the data once it leaves the device. File-level encryption is often necessary and complementary, so that data is always protected: at rest, in transit, and when stored off-device. Yet only 36% of companies said they use both full-disk and file encryption.
Meanwhile, cloud data security is one area driving increased adoption of encryption. More than eight in ten companies (84%) expressed concern about the safety of data stored in the cloud. Nevertheless, while 80% are using the cloud for storage, only 39% encrypt all files stored in the cloud.
This leads to the next crucial question – why are so many companies failing to protect all types of data, everywhere and at all times?
Companies cite budget, performance concerns and lack of deployment knowledge as the top three barriers to implementing an encryption solution.
Unfortunately, I’m not surprised by these findings because too many people mistakenly believe that encryption is too complicated or too expensive to implement. Despite these concerns, the reality is that modern, next-generation encryption solutions can be easy to deploy and quite cost-effective.
There are some positive results from our survey that give me hope that companies are starting to learn the value of encryption and are beginning to move in the right direction.
A majority of IT professionals we surveyed acknowledged that their companies need to do a better job of encrypting employee, customer and company information. The good news is that 69% of them said they plan to increase their use of encryption within the next two years.
The State of Encryption Today survey confirms that while encryption is widely used and accepted by businesses, there are critical gaps.
Promises to do better “next time” come too late, after the damage has already been done. For the organizations and individuals who are victims of data breaches, a single breach is one too many.
For more information about the challenges and opportunities for data protection in your organization, I recommend reading the full results and analysis of this survey at sophos.com/encryptionsurvey. We’ve also put together several free resources such as videos and guides to help you on your way to better security for all your data at sophos.com/encrypt.