Each year, hundreds of millions of sensitive personal records are exposed by hackers and cybercriminals. Encryption is an essential security control and part of a company’s security policies and procedures. Yet, despite high practice rates, few IT leaders encrypt their data consistently.
Companies that do not enforce data encryption face ugly consequences. Unauthorized individuals might steal data from compromised accounts or gain access to unencrypted data. Ransomware and other attacks are significantly more effective without encryption. Moreover, a company’s reputation can be affected by breaches. That is why encryption is often mandated in security regulations.
As shown in Figure 3 from our full report, Encryption Best Practices, 6% of our survey respondents encrypt data informally, while 65% do so formally but inconsistently. This may mean that they only encrypt certain data for certain personnel or in specific locations but not others. Whatever the reason for the inconsistency, this remains a pressing concern for executives committed to thwarting cybercriminals. It is surprising that only 19% practice encryption formally and consistently.
“All PII and company data should be encrypted, and it is not challenging to do so,” said Waynelle John, research analyst for Avasant Research, based in Los Angeles. “There are numerous free solutions available, but encryption initiatives must be driven from the top down to ensure consistency.”
Data theft is on the rise, but encryption best practices can protect sensitive or confidential information, both in storage and in transit. It is an advisable practice for every organization, especially those processing personal information or other highly confidential data.
Take the case of the MOVEit data breach of 2023. This significant global cyberattack exploited a vulnerability in Ipswitch’s managed file transfer software, MOVEit. The attackers utilized SQL injection on public-facing servers to steal files from over 2,500 organizations worldwide. More than 60 million individuals were impacted, with 80% of affected organizations based in the United States. The extent of this breach was possible because the data handled by the MOVEit software is often unencrypted. Therefore, once attackers found a weak spot, they were able to access significant amounts of data.
Significant challenges lie in a lack of employee awareness, education, and training regarding encryption practices. Another area of inconsistency relates to where encryption is performed. Data is at risk when it is at rest in a database or storage repository and when it is in transit over a network. Consistent encryption requires the protection of data in both states. Yet, some companies only encrypt data in only one of these states, potentially exposing their data to attack.
The full report seeks to define encryption and provide suggestions for getting started. We also study adoption, practice levels, and maturity and examine these parameters by organization size and sector. We conclude with best practice recommendations.
This Research Byte is a brief overview of our report Encryption Best Practices. The full report is available at no charge for subscribers, or it may be purchased by non-clients directly from our website (click for pricing).
Avasant’s research and other publications are based on information from the best available sources and Avasant’s independent assessment and analysis at the time of publication. Avasant takes no responsibility and assumes no liability for any error/omission or the accuracy of information contained in its research publications. Avasant does not endorse any provider, product or service described in its RadarView™ publications or any other research publications that it makes available to its users, and does not advise users to select only those providers recognized in these publications. Avasant disclaims all warranties, expressed or implied, including any warranties of merchantability or fitness for a particular purpose. None of the graphics, descriptions, research, excerpts, samples or any other content provided in the report(s) or any of its research publications may be reprinted, reproduced, redistributed or used for any external commercial purpose without prior permission from Avasant, LLC. All rights are reserved by Avasant, LLC.
Login to get free content each month and build your personal library at Avasant.com
