Organizations may be transferring sensitive data to the cloud with greater frequency, but they still widely lack a consistently applied encryption strategy, with only one third claiming such an enterprise-wide plan, according to a recent study.
More than half, or 56 percent, of those surveyed by the Ponemon Institute for the "2016 Global Encryption and Key Management Trends Study," sponsored by Thales and Vormetric Data Security, claimed to be sending that information to the cloud, with that figure expected to rise to 84 percent in two years. Respondents said supporting cloud and on-premise deployment was the most important motivation for deploying an encryption solution
They're more confident putting private and sensitive information in the cloud, Peter Galvin, vice president strategy at Thales e-Security, told SCMagazine.com, noting that HR and employee data was what organizations were most often protecting.
There's a need for building encryption strategies so as to be able to put data in the cloud,” Galvin explained. But widespread and consistent encryption efforts have not kept pace with enterprise concerns. While the number of organizations with a comprehensive plan has increased since the survey began in 2005 (from less than 15 percent to 37 percent), 15 percent of those surveyed for this year's study said their organizations do not have an encryption strategy at all, compared to 38 percent in 2005.
The survey's findings showed a marked decline in IT's influence over how data is protected – only 32 percent tagged IT operations as most influential, down from 53 percent in 2005. Now lines of business, at 27 percent, have nearly as much influence as IT, and 16 percent of those surveyed said security was most influential.
“Encryption was an IT technology, now we're seeing influences from lines of business [which] reflects what's going on from a reputational and brand standpoint,” said Galvin, noting that other influences now have a “real seat at the table.”
While IT's influence has slipped, so have the dollars available to put toward encryption. The report found that 41 percent of respondents were extensive users of encryption (compared to 16 percent 11 years ago) but over the last three years, IT budgets have declined.
Compliance with privacy and security requirements drive most organizations (61 percent) to encrypt with 50 percent of those surveyed wanting to protect enterprise intellectual property. Avoiding breach disclosures didn't play a big role in the decision to encrypt (only eight percent of respondents noted it as a driver) and compliance with internal policies didn't fare much better (15 percent).
And employees still represent the most significant threat to exposing sensitive data, according to 52 percent of those questioned. Another 30 percent listed system or process malfunction and 28 percent said hackers were the most significant threat.
Galvin said organizations should get to work on enterprise-wide encryption strategies to protect themselves going forward, but face challenges. “A lot of organizations don't know where their sensitive data is,” he said. “The biggest challenge of deploying encryption is to figure out where the data is.”
