News & Views
Apricorn reports drop in encryption
There is an alarming drop in device encryption in UK companies despite over a fifth of security leaders admitting they have “no control” over data, according to the latest research from Apricorn (www.apricorn.com), the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives.
Research found that more than a third (35%) or organizations say that lack of encryption and loss of devices containing sensitive information is responsible for data breaches, further a further 17% of security leaders saying that has been the main cause of a data breach within their organization – representing a steady rise from 12% in 2021. Lost or misplaced devices containing sensitive data had caused a breach at 18% of organizations, despite the fact this is a risk that can be mitigated through encryption.
According to Apricorn’s research, only 12% of organizations currently encrypt data on all laptops, compared with 68% in 2022, while 17% encrypt data on all desktop computers, down from 65% last year. It’s a similar story for mobile phones – with 13% encrypting on all, versus 55% in 2022; USB sticks – with 17% encrypting today, down from 54%; and portable hard drives – a drop to just 4% from 57%.
“Businesses appear to have gone backwards in terms of protecting critical data when it’s being shared, handled and stored on devices. This is creating unacceptable risk,” says Jon Fielding, Managing Director EMEA, Apricorn. “Encryption renders information unintelligible to anyone not authorized to access it – whatever happens to the device, and whoever might get their hands on it.”
While the decline in encryption is alarming, Apricorn’s annual research shows the good news that there is a big jump in the percentage of security leaders saying they do not currently encrypt but plan to in the future – an average increase across all devices from 12% to 23%. Of those intending to boost their use of encryption on removable devices: 48% plan to either introduce or expand encryption on portable hard drives, up from 16% in 2022, whilst for USB sticks, the figure has risen to 42% from 20%.
“Our research shows that IT leaders do have the intention to expand their usage of encryption to remediate the gap, but this needs to happen sooner rather than later,” adds Fielding.
Responses to a question around the biggest problems associated with implementing a security plan for remote/mobile working may point to a reason behind the decline in encryption. Of the surveyed security leaders who have mobile/remote workers, 22% say they have no control over where company data goes and where it is stored, with 14% admitting they don’t have a good understanding of which data sets need to be encrypted.
“There appears to be some confusion over where enterprise data is, and what needs to be encrypted,” suggests Fielding. “This highlights the importance of having visibility over data – but also the implementation of a company-wide policy that requires all information to be encrypted automatically, as standard. This will ensure that nothing manages to slip through the net.”
For companies which have increased their implementation of encryption over the last year, 20% say their main reason was to securely share files (20%), 18% cited the need to protect lost and stolen devices, whilst a 14% cite avoidance of regulatory fines.
Encryption is also seen as having a key part to play in meeting eligibility criteria for cyber insurance. When asked what tools and strategies they incorporated into employee usage policies to comply, two of the top answers cited were the requirement to encrypt data at rest (25%) and on the move (22%).
“Companies recognize the benefits of applying encryption and are well aware that neglecting to do so exposes sensitive and confidential data to the risk of compromise or loss. Despite this, data is not being adequately protected. This needs to be addressed: other findings from our research have shown an increase in employees exposing corporate data to a breach – either unintentionally or with malicious intent. This makes it more important than ever that encryption is in place as a last line of defence,” comments Fielding.
The research, conducted by Censuswide with 201 security decision makers (manager level +) of large companies in the UK was run between 30.03.2023 – 06.04.2023.