Encryption is a critical component of cybersecurity strategies. By making use of various algorithms to scramble data, encryption renders information unintelligible to anyone not authorised to access it. In this sense, it guarantees that compromised data is secure from unauthorised access, even if the system or device is physically stolen, illegally accessed, or lost.
If devices holding sensitive information such as USBs, laptops or mobile phones are lost or left in public places, encryption ensures that the next person to pick them isn’t able to access key data and potentially leak it into the public domain. It is a vital shield in the security arsenal. However, unfortunately, there has been alarming drop off in the number of companies encrypting devices as standard of late.
According to 2023 research from Apricorn, little more than one in 10 organisations confirmed that they encrypted data on all laptops – down from 68% in 2022. Looking at desktop computers (down from 68% to 17%), mobile phones (55% to 13%), USB sticks (54% to 17%) and portable hard drives (57% to 4%), the trend is similarly worrying.
Exploring the intersection between encryption rates and data breaches
The backward steps that organisations have taken in terms of protecting critical data when it’s being shared, handled and stored on devices will only serve to exacerbate their exposure.
Critically, the research shows that those heightened risks are already leading to breaches. A lack of encryption was highlighted as the main cause of at least one data breach by 17% of security leaders – up from 12% in 2021. In a similar vein, lost or misplaced devices containing sensitive information had resulted in a breach at 18% of firms surveyed.
The survey also found that employees are increasingly exposing corporate data to a breach, either intentionally or unintentionally, making it more important than ever for organisations to ensure encryption adds an additional layer of defence to their security strategies.
Why the decline in encryption?
It is interesting to note that security leaders themselves recognise a lack of encryption is leading to breaches, especially given that encryption as standard across all devices dropped off a cliff last year. This begs the question: if security leaders are aware of the potential risks associated with a lack of encryption, why have so many let things slip?
Here, responses to a survey question around the biggest problems associated with implementing a security plan revealed remote/mobile working may be partially to blame for the decline in encryption. Among those organisations that have employees on the move, more than one in five have no control over where company data goes and where it is stored, with 14% admitting they don’t have a good understanding of which data sets need to be encrypted.
This lack of clarity in relation to both where enterprise data is and what needs to be encrypted is a challenge. Visibility over data undoubtedly needs to improve, while company-wide policies that require all data to be encrypted automatically as standard, thus preventing any vital information from slipping through the net, also need to be implemented.
IT leaders intend to improve
What is more promising is the intention expressed by organisations to work towards these improvements and bridge the current encryption gap. Across all devices, 23% of IT leaders stated they do not currently encrypt but plan to do so in the future – up from 12%. Critically, that intent is particularly strong for removable devices, with 48% planning to introduce or expand encryption for portable hard drives. For USB sticks, that figure stands at 42% – up from 20% in 2022.
These signals are cause for optimism. However, intention needs to turn into action quickly for companies to realise the benefits of encryption – and there are many.
Looking at those companies that did increase their encryption practices in 2023, 20% pointed to the ability to share files as a key motivation. Further, 18% highlighted the protection of lost and stolen devices, while 14% outlined the merits in relation to avoiding regulatory fines.
Many are also turning to encryption to improve their eligibility in qualifying for cyber insurance. When asked what tools and strategies had been leveraged to meet the demands of cyber insurers, two of the top answers cited were encrypting data at rest (25%) and on the move (22%).
Where should organisations start?
Many see the advantages of encryption, yet it is vital that they act upon their intent to adopt it, embracing best practices both quickly and effectively. So, where should organisations begin?
First, it is important to gain full and transparent oversight of all company data. Improving visibility and control is critical for effective company-wide encryption. Without this, there is much a greater likelihood for breaches to occur as potential risks slip through the net unseen.
Once complete visibility has been established, organisations can turn attentions to instilling the right encryption policies, ensuring that these are upheld by all employees. Here, hardware security can be a highly useful tool. For example, once a user successfully authenticates into a hardware encrypted, portable device, all encryption processes are performed automatically, removing the opportunity for a user to forget. Embracing such techniques can go a long way towards mitigating potential liabilities presented when encryption is absent or incorrectly deployed.
