With cyberattacks now the top cause of data loss – as reported by ThinkDigital Partners – the role of longstanding information security strategies is increasingly scrutinised. However, one policy, alongside related best practice, that is coming to the fore more than ever as a result, is encryption.
Both public and private sector organisations stand to gain from more consistent and ubiquitous uses of encryption, because it is a method of staying ahead of evolving cyber threats, complying with legislation and mitigating human error. And it’s relatively straightforward for adoptees.
Research surveys are demonstrating a clear trend towards broader adoption of encryption across all media. Further to which, our latest findings at Apricorn reflect exactly this message around the necessity of data encryption. The number of UK organisations implementing data encryption as a core part of their cybersecurity strategy is continuing to rise.
In mid-2022, nearly one in three organisations (32 percent) had introduced a policy to encrypt all corporate information as standard in the last year – whether stored on their systems or in the cloud. Only two percent of respondents told us that they don’t currently see encryption as a priority (which of course doesn’t mean they don’t find it useful).
What we’re seeing, in fact, is that almost half (47 percent) of organisations now require all data, in transit or at rest in storage, to be encrypted. The share rises to 73 percent (nearly three-quarters) of organisations, when it comes to data held on removable media.
Why encryption’s importance has increased
When asked about the main reason their organisation has increased the implementation of encryption over the past year, nearly a quarter (24 percent) of respondents said this was due to the rise in remote working.
We have found that 42 percent of IT leaders cite the complexity of managing all the technology that employees need and use as a leading challenge. Additionally, 38 percent of respondents in our survey worry that staff will unintentionally expose the organisation to a data breach.
It also seems that the stakes are getting higher for those organisations that don’t give the approach sufficient attention. As many as 32 percent still admit they’re unsure currently whether data is adequately secured – and 16 percent revealed that a lack of encryption had been the primary cause of a data breach within their company, up from 12 percent in 2021.
Sixteen percent of this latter sample pinpoint ransomware as a specific vector of attack. Ransomware offers one of the clearest arguments for offline, ‘air-gapped’, removable yet fully encrypted hardware devices, with the caveat of course that they must be kept up to date.
By ensuring they always have a separately stored, encrypted device available with the required, and most recent, copies of data, organisations can bypass an attacked setup and continue to work elsewhere even in the event of attack.
You might also like
How can best practice be achieved and updated?
Software-free, 256-bit AES XTS hardware-encrypted, removable and portable USB drives can present an easy-to-implement way to ensure that all workers can comply with the need for encryption, wherever they are working and whatever device they are using – at whatever time.
Built-in hardware encryption with onboard authentication delivers better protection than software-based encryption, which can leave devices exposed to counter resets, software hacking, screen capture and keylogging. When held in a hardware crypto module, encryption keys are protected from brute-force attacks and unauthorised access.
In our survey, 27 percent actively enforce this encryption of data on mobile devices and removable media. For 42 percent of respondents, removable storage device use is only permitted if said device is hardware-encrypted – a rise from 33 percent in the corresponding 2021 report.
An additional benefit of hardware encryption is that organisations adopting removable devices of this type can permit all their staff – even contractors – to work in the ways most convenient and productive for them, without putting their organisation at increased risk.
Of course, technology alone won’t complete the trick. Encryption only provides full defence against attack in conjunction with a 3,2,1 backup policy – ensuring at least three total copies of your data are retained, on at least two different media, with at least one copy stored off site.
Cybersecurity policy and practice should also always be coupled with ongoing education and training that keeps workers both up to date and engaged.
Threats are evolving; all sectors must keep pace
Organisation-wide encryption is a straightforward way of staying ahead of evolving cyber threats, complying with legislation and mitigating human error.
Encryption is high up on corporate priority lists because it now has an even more crucial role to play in protecting sensitive information, alongside an increasing maturity of the approach to cybersecurity in the hybrid working environment.
However, for encryption to become completely effective, organisations must embed it into their ways of working so it becomes ‘business as usual’ – mandated both in policy and enforced at an operational level.
Jon Fielding is managing director EMEA of Apricorn.