News

Mounting Data Breaches Cause Huge Encryption Spike

• By David Ramel
• 06/16/2022

Mounting data breaches have caused a huge spike in encryption says a new survey-based report, but it's not ransomware attackers or other bad actors organizations are protecting against -- it's their own employees.

Those are two takeaways from the new Entrust 2022 Global Encryption Trends Study sponsored by Entrust and conducted by the Ponemon Institute. More than 6,000 responses were received for the study, which was conducted last December/January. It's the 17th edition in the series.

With that much history to compare against, Entrust noted that this year 62 percent of organizations reported having an encryption strategy in place, up from 50 percent in last year's study, which the firm said was the sharpest increase in adoption in nearly two decades.

"Companies are taking data protection more seriously, but there's still a way to go," said Entrust in a June 1 news release. "While the Ponemon research has shown a steady increase in enterprise-wide encryption adoption over the years, this year's study revealed a dramatic jump from 50 percent to 62 percent in those respondents saying that their organizations have an encryption policy that is consistently applied. Similarly, 61 percent of respondents rated the level of their senior leaders' support for enterprise-wide encryption strategy as significant or very significant."

This data comes in a time of increased ransomware and other attacks, with news headlines announcing another data breach seemingly every other week or so. In fact, the study revealed that 72 percent of organizations have suffered a data breach, half of them within the last year.

However, even as we're continually bombarded with headlines about ransomware and other data breaches, it's not hackers that encryption is primarily protecting against, but rather miscues by employees, typically in configuration settings. That problem is detailed in our March article, "Cloud Security Report: It's Still Misconfiguration, Misconfiguration ... ."

"Employee mistakes continue to be the most significant threats to sensitive data," said the new Entrust report, which went on to state, "the most significant threats to the exposure of sensitive or confidential data are employee mistakes, while the threat from temporary or contract workers reached 28 percent, its highest level ever. This may indicate an impact of the ongoing labor shortage in security roles and the risks introduced by overworked and temporary employees. In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests."

Which is not to say that bad actors aren't a significant problem. A June 1 Entrust blog post about the report said "combining malicious insiders (20 percent) and external hackers (29 percent), we see that intentional actors account for around half of top-ranked threats."

That blog post goes on to discuss challenges with organizational efforts to implement encryption, including the ever-present, lingering skills shortage, as discussed in last month's article "How to Address Crippling Cloud Skills Shortage?"

Entrust said: "Despite the spike in adoption of encryption strategies, respondents reported several barriers and challenges around encryption. Nearly two-thirds said key management is a painful challenge -- made more difficult by the ongoing tech talent shortage in IT and security roles."

Also, more than half of respondents said the biggest challenge is simply identifying where data lives and moves in order to encrypt it, Entrust said.

Other highlights of the report include:

• According to the consolidated findings, system performance and latency, management of keys, and enforcement of policy are the three most important encryption features.
• 55 percent of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted.
• Organizations are using encryption to protect customers' personal information (53 percent of respondents), to protect information against specific, identified threats (50 percent of respondents) and the protection of enterprise intellectual property (48 percent of respondents).
• Over the past five years, the deployment of encryption has grown the fastest with containers and IoT devices
• 63 percent of respondents say IoT platforms have been at least partially encrypted and 64 percent of respondents say encryption of IoT devices has been at least partially deployed.
• Nearly half of all organizations use hardware security modules (HSMs), up from 38 percent five years ago.
• Fifty-five percent of respondents say their organization has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their organization (i.e., private cloud model).
• 38 percent of respondents say encryption is performed on-premises prior to sending data to the cloud using keys their organization generates and manages. However, 44 percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty-one percent of respondents are using some form of BYOK approach.
• Only 22 percent of respondents say they have a limited encryption plan or strategy that is applied to certain applications and data types, a significant decrease from last year.
• The most significant increases in extensive encryption usage have occurred in manufacturing, energy & utilities and the public sector.
• The average annual global budget for IT security is $24 million per organization.
• The countries with the highest average annual budgets are the U.S. ($41 million) and Germany ($28 million).
• The least likely data type to be encrypted is health-related information and non-financial information, which is a surprising result given the sensitivity of health information.
• 61 percent of respondents rate the level of their senior leaders' support for an enterprise-wide encryption strategy as significant or very significant.

"As more enterprises migrate applications across multi-cloud deployments there is a need to monitor that activity to ensure enforcement of security policies and compliance with regulatory requirements," said Entrust exec Cindy Provin. "Similarly, encryption is essential for protecting company and customer data and it is encouraging to see such a significant jump in enterprise-wide adoption. However, managing encryption and protecting the associated keys are rising pain points as organizations engage multiple cloud services for critical functions. As the workforce becomes more transitory, organizations need a comprehensive approach to security built around identity, zero trust and strong encryption rather than old models that rely on perimeter security and passwords."