Data Protection – Put Your Money Where Your Doubt Is
I have some good news and some bad news on encryption. First, the good news: encryption is all over the place! The bad news? Encryption isn’t really all over the places data needs it to be.
We had an eye-opening talk on encryption recently in a webinar with 451 Research. In the webinar, Eric Hanselman, 451’s security analyst at-large, doled out a review of how companies implement encryption. A whopping 82% of respondents to their survey had encryption “in use”. Great news, right? Until he went further, and itemized how companies were relying on encryption.
Primarily, companies opted for crypto methods that satisfy compliance but not necessarily true security. Here, we’re talking about laptops (80%), hard-drive (60%) and email (55%) encryption. When it came to practices for solid, end-to-end security via encryption, the results were lowly: only 2% of companies were using encryption for “data in motion” (the volumes of info you’re sharing) and 4% had locked down “data at rest” (the big bytes of data stored for use or audits at a later date).
The gulf between these applications of encryption might sound like semantics or inside baseball to some. But it really gets to a mistake in how and where companies look to protect their most sensitive documents, data and communications. By failing to encrypt data in motion and at rest, you’ve left access and control over information to leave through the front door. (And if you don’t think the data is valuable, ask Radio Shack.)
Hanselman framed it like this:
Despite some challenges in IT budgets, people are continuing to spend on encryption. This is a good thing broadly. But what does that mean in terms of effectiveness for how people actually use encryption? People are coming at it with solutions that work for a certain set of use cases: volume and hard-drive encryption for laptops; email exchange. When you think of that valuable data, what more and more organizations secure today isn’t on devices … but there’s a lot more of that data which is heading out of the normal corporate environment.
We preach layers of security and practice protection as a process. It’s worth also revisiting what you’re using. Why opt for encryption if it’s not the type of encryption you really need?