What Data Do Organizations Encrypt And Why?

This post is also available in: עברית (Hebrew)

Ilan Segelman, VP Sales & Business Development at Power communications and Operation Manager at Sophos Israel

תמונה 2_אילן סגלמן
Ilan Segelman

We at Sophos believe that there is no such thing as too much encryption. It is the simplest way to avoid data loss or theft in organizations. It is the last line of defense against cyber attacks or unfortunate accidents of loss of precious information.

And yet, we often hear of organizations that had precious information stolen from them regret not having been wiser as to encrypt it.

Unfortunately, the state of information security is not very well. In 2014, 700 million files were hacked, according to the latest report by Verizon (Verizon Data Breach Investigations Report). In order to understand why there were so many security failures, we decided to conduct our own survey among 1,700 decision makers in the world of IT across six different countries and in different sectors. We asked them what sort of information is being encrypted and why they are not encrypting all of the data. The results of the survey (The State of Encryption Today) are impressive and allow us to understand how the situation can be improved.

One of the results clearly apparent from the survey is that although most organizations take the subject of their clients’ information security very seriously, their employees are not receiving the same treatment and much less protected. These are sensitive data such as banks information or employees’ files containing medical records etc.

For example: 31% admitted that the bank records of employees are not encrypted. 43% don’t encrypt employees’ records and close to half, 47%, don’t encrypt their employees’ medical records.

While hackings into clients’ information get the headlines, information about hacking into employees’ information hardly ever gets noted although organizations are obligated to secure that information by law.

The organization’s sensitive data is also vulnerable to attacks. About a third of respondents mentioned that they have not encrypted their organization’s data and 41% admitted that they don’t always encrypt the organization’s intellectual assets despite the worrying growth in industrial espionage around the world.

Another cause for concern is the type of encryptions. Many organizations fail to distinguish between different levels and types of encryptions. Different files should not be getting the same level of encryption.

Although full drive encryption is critical in cases of theft or data loss, it is not very effective in the case where information leaves the drive. File encryption is necessary and basic so that information will always be protected in the office, while traveling, or in storage, and yet only 36% of respondents noted that they encrypt both the files and the drive.

One of the catalysts for adopting encryption is the transition to cloud computing. 8 of every 10 companies (84%) voiced concern for information stored in the cloud. Given that 80% of organizations made a transition to cloud storage, only 39% make sure to encrypt all the stored files.

This fact leads us to the next critical questions – why do so many organizations fail to encrypt all of their files everywhere and all the time?

The budget of organizations, worries about performance, or lack of basic knowledge on encryptions are three of the main setbacks that show up in the survey.

Unfortunately, these results are not surprising. Most people think that encryption is a complex and expensive process, but facts are that the next generation of the encryption solutions are easy, efficient and aren’t expensive.

The results of the survey, however, are not all bad. There are definite findings indicating that more organizations realize the value of encryption and are starting to act accordingly. Most respondents said that they are aware of not fulfilling their organization’s encryption capability. 69% of them even declared that they plan on raising the level and amount of encryption in the organization in the next two years.

In conclusion, the survey found that despite common use of encryption, there are still critical gaps which expose organizations to loss of precious data. Promises of improvement usually only come in retrospect after the damage has been done.