Encryption is one of the most recognised and widely deployed security controls, yet just 4% of data breaches are considered “secure breaches” where encryption makes stolen files useless, a survey has revealed.
Encryption is most often bought and deployed with “compliance” in mind, which often means it is not aligned to confront real-world security risks, such as skilful intruders and accidental employee overshares, according to the latest report on enterprise encryption by data security firm Vera.
This is one of the key challenges facing organisations in achieving data protection performance and returns on their deployed encryption technology, says the report, which is based on a survey of more than 130 cyber security and IT decision-makers in the US and Canada who oversee encryption and data protection across healthcare, finance, government and other industries.
The data shows that 61% of respondents believe compliance drives the need for encryption, not users’ data protection, heightening the disconnect between encryption and security. Conversely, in order to ensure the security of files that are distributed or shared, 41% of companies resort to banning the use of file-sharing sites, hindering productivity and collaboration.
The report also cites perimeter-driven encryption deployments as a top reason why organisations’ encryption investments are misaligned with how employees and business partners actually use critical data.
“Our report confirms what security, privacy and risk professionals are realising, which is that the speed and scale of how data moves across fluid organisations and their partners today is the biggest factor upending data protection,” said Carlos Delatorre, chief executive officer at Vera.
“In the current post-cloud, collaborative environment, organisations must secure and protect data throughout its entire lifecycle,” he added.
According to Delatorre, one approach is to use “always on” file security to protect data throughout its life, while remaining compliant with regulations. This approach is aimed at providing strong encryption, real-time access control, and hosted policy management.
“The news is not all bad,” he said. “Organisations reorienting operations around more collaborative cloud and mobile fabrics are at a crossroads where they can capitalise on these changes to add far more effective visibility and access controls.”
The report highlights that almost two-thirds of respondents rely on their employees to follow security policies to ensure the security of distributed files, yet 69% are very concerned about their lack of control when files are sent outside the network or placed in cloud collaboration, and only 26% have the ability to locate and revoke access quickly.
Survey data shows that only 35% of respondents build encryption into security processes and procedures across the board, while others cite difficulties with deploying encryption properly as the reason it is deprioritised.
The survey shows that Digital rights management is used by only 26% of respondents, with antivirus seen and used as the main preventative security technology by 97% of respondents’ organisations, followed by access control (87%), encryption (84%) and security awareness training (82%).
A key takeaway from the research, the report said, is that encryption is not seen as an “easy win” and is still considered difficult to deploy and use.
“But data-centric security technologies exist that can deliver tracking and access control in real time, with no inconvenience to the end-user,” the report said.
Reasons respondents gave for not encrypting data were that data is not taken seriously enough (40%), implementing an encryption policy across all data is thought to be too difficult (18%), keeping track of where data is being stored is believed to be difficult (17%), in-house applications have not been tested to ensure data is secured according to policy (13%), and administrators fail to configure encryption controls correctly (12%).
Based on the survey findings, Vera recommends that IT and security teams follow the workflow to find hidden data exposures, noting that encryption mechanisms often cannot keep up with data and users’ changing roles. In the light of this fact, organisations need to study how employees actually use data to pinpoint areas where encryption cannot reach, or is disabled out of necessity.
Vera recommends that organisations resist “attack only” thinking because in most organisations, well-meaning employees who make mistakes outnumber malicious threats. For this reason, organisations are advised to ensure built-in visibility to help employees and managers contain accidental data spills and enforce policies.
The security firm also recommends that organisations align resources to tackle cloud, mobile and third-party forces. Multiplying mobile devices and business partners present a wide array of new places where data must travel, but according to Vera, routing this data access through approved cloud and other centralised services helps IT, security and business leaders to restore visibility and consolidate control by infusing these platforms with embedded encryption and access controls over files.