- Lack of encryption and loss of devices containing sensitive information responsible for data breaches at more than a third (35%) of organisations
- Intent to increase encryption on removable devices almost trebles in a year, according to Apricorn research
A significant drop in the encryption of data on devices within UK companies has been revealed through annual research carried out by Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives. This trend is having a clear impact on the security of critical information. Lack of encryption was cited by 17% of the security leaders surveyed as having been a main cause of a data breach within their organisation – a steady rise from 12% in 2021. Lost or misplaced devices containing sensitive data had caused a breach at 18%; this is a risk that can be mitigated through encryption.
According to Apricorn’s research, only 12% of organisations currently encrypt data on all laptops, compared with 68% in 2022, while 17% encrypt data on all desktop computers, down from 65% last year. It’s a similar story for mobile phones – with 13% encrypting on all, versus 55% in 2022; USB sticks – with 17% encrypting today, down from 54%; and portable hard drives – a drop to just 4% from 57%.
While the decline in encryption is alarming, the good news is that there is a big jump in the percentage of security leaders saying they do not currently encrypt but plan to in the future – an average increase across all devices from 12% to 23%. In particular, there is a major rise in those intending to boost the use of encryption on removable devices: 48% plan to either introduce or expand encryption on portable hard drives, up from 16% in 2022. For USB sticks, the figure has risen to 42% from 20%.
Jon Fielding, Apricorn’s managing director EMEA, says: “Businesses appear to have gone backwards in terms of protecting critical data when it’s being shared, handled and stored on devices. This is creating unacceptable risk. Encryption renders information unintelligible to anyone not authorised to access it – whatever happens to the device, and whoever might get their hands on it. IT leaders do have the intention to expand their usage of encryption to remediate the gap, but this needs to happen sooner rather than later.”
Responses to a question around the biggest problems associated with implementing a security plan for remote/mobile working may point to a reason behind the decline in encryption. Of the surveyed security leaders who have mobile/remote workers, 22% say they have no control over where company data goes and where it is stored, with 14% admitting they don’t have a good understanding of which data sets need to be encrypted.
“There appears to be some confusion over where enterprise data is, and what needs to be encrypted,” suggests Jon Fielding. “This highlights the importance of having visibility over data – but also the implementation of a company-wide policy that requires all information to be encrypted automatically, as standard. This will ensure that nothing manages to slip through the net.”
For companies that have increased their implementation of encryption over the last year, the main reasons stated were the ability to securely share files (20%), the protection of lost and stolen devices (18%), and the avoidance of regulatory fines (14%). Encryption is also seen as having a key part to play in meeting eligibility criteria for cyber insurance. When asked what tools and strategies they incorporated into employee usage policies in order to comply, two of the top answers cited were the requirement to encrypt data at rest (25%) and on the move (22%).
Jon Fielding adds: “Companies recognise the benefits of applying encryption, and are well aware that neglecting to do so exposes sensitive and confidential data to the risk of compromise or loss. Despite this, data is not being adequately protected. This needs to be addressed: other findings from our research have shown an increase in employees exposing corporate data to a breach – either unintentionally or with malicious intent. This makes it more important than ever that encryption is in place as a last line of defence.”
The research was conducted by Censuswide with 201 security decision makers (manager level +) of large companies in the UK between 30.03.2023 – 06.04.2023. Censuswide abides by and employs members of the Market Research Society which is based on the ESOMAR principles and are members of The British Polling Council.