Encryption adoption driven by new tech and compliance

Organisations worldwide are increasingly turning to encryption to protect applications and sensitive information to improve security and meet compliance requirements, a survey across multiple sectors in 14 countries reveals.

This main driver of this rapidly growing upward trend is the need to protect data used and generated by new technologies such as the internet of things (IoT), blockchain and digital payments, according to the 2019 Global Encryption Trends Study from the Ponemon Institute, sponsored by nCipher Security.

The other main drivers for deploying encryption is compliance with new data protection laws around the world and a desire by boards to avoid reputational damage due to a data breach, protect intellectual property and personal data from cyber criminals, and guard against human error.

According to 54% of respondents, employee mistakes continue to be the most significant threat to sensitive data, followed by external hackers (30%) and malicious insiders (21%).

As a result, 45% of more than 5,800 respondents say their organisation has an overall encryption plan applied consistently across the entire enterprise, an increase of 2% in the past year.

Germany tops the countries with the highest level of consistently applied encryption at 67%, followed by the US (65%), Australia (51%) and the UK (50%).

A further 42% globally said they have a limited encryption plan or strategy that is applied to certain applications and data types, which leaves just 13% of polled organisations that are not yet using encryption.

The study report notes that the biggest barriers or challenges to planning and executing a data encryption strategy include discovering where sensitive data resides in the organisation (69%), deploying the encryption technology (42%), and classifying which data to encrypt (32%).

Other barriers cited include ongoing management of encryption and keys (28%), determining which encryption technologies are most effective (16%), and training employees to use encryption appropriately (13%).

With more data to encrypt and close to two-thirds of respondents deploying six or more separate encryption products, policy enforcement (73%) was selected as the most important feature for encryption systems. In previous years, performance consistently ranked as the most important feature.

The study shows that cloud data protection requirements also continue to drive encryption use, with encryption across both public and private cloud use cases growing over 2018 levels, and organisations prioritising encryption systems that operate across both enterprise and cloud environments (68%). 

With the explosion and proliferation of data that comes from digital initiatives, cloud use, mobility and IoT devices, data discovery continues to be the biggest challenge in planning and executing a data encryption strategy, with 69% of respondents citing this as their number one challenge.

The use of hardware security modules (HSMs) grew at a record rate from 41% in 2018 to 47% in 2019, indicating a requirement for a hardened, tamper-resistant environment with higher levels of trust, integrity and control for both data and applications, the report said.

The survey shows that HSM usage is no longer limited to traditional use cases such as public key infrastructure (PKI), databases, application and network encryption (TLS/SSL). The demand for trusted encryption for new digital initiatives has driven significant HSM growth over 2018 for code signing (up 13%), big data encryption (up 12%), IoT root of trust (up 10%) and document signing (up 8%). Additionally, 53% of respondents report using on-premise HSMs to secure access to public cloud applications.

Larry Ponemon, chairman and founder of the Ponemon Institute, said the use of encryption is at an all-time high. “Encryption usage is a clear indicator of a strong security posture with organisations that deploy encryption being more aware of threats to sensitive and confidential information and making a greater investment in IT security,” he said.

Adoption of encryption is also being spurred, he said, by the need to protect sensitive information from both internal and external threats as well as accidental disclosure because of compliance requirements such as the EU’s General Data Protection Regulation (GDPR), California Data Breach Notification Law and Australia’s Privacy Amendment Act 2017.

John Grimm, senior director of strategy and business development at nCipher Security, said organisations are under “relentless pressure” to protect their business critical information and applications and meet regulatory compliance.

“But the proliferation of data, concerns around data discovery and policy enforcement, together with lack of cyber security skills makes this a challenging environment.”

Other findings of the survey include:

• Payment-related data (55% of respondents) and financial records (54%) are most likely to be encrypted. Financial records had the largest increase on this list over past year, up 4%.
• The least likely data type to be encrypted is health-related information (24%), which the report said is a surprising result given the sensitivity of health information and the recent high-profile healthcare data breaches.
• Support for both cloud and on-premises deployment of encryption has risen in importance as organisations have increasingly embraced cloud computing and look for consistency across computing styles.