Entrust-sponsored and conducted by the Ponemon Institute, research highlights gaps impacting organisations’ ability to meet rising threats
Organisations reporting having consistent, enterprise-wide encryption strategy leapt from 36 percent to 57 percent, as they seek greater control of the data they have distributed across multiple cloud environments. This and other findings are highlighted in the Entrust 2022 Global Encryption Trends Study, the seventeenth annual multinational survey of security and IT professionals conducted by the Ponemon Institute.
The study reports on the cybersecurity challenges organisations face today, and how and why organisations protect their data. Key findings include:
Companies are taking data protection more seriously, but there’s still a way to go
While the Ponemon research has shown a steady increase in enterprise-wide encryption adoption over the years, this year’s study revealed a dramatic jump from 36% to 57% in Southeast Asian respondents saying that their organisations have an encryption policy that is consistently applied. Similarly, 61% of respondents rated the level of their senior leaders’ support for enterprise-wide encryption strategy as significant or very significant. Out of the APAC countries surveyed, Japan and Korea rank the highest for encryption employment (69%), while Taiwan ranks the lowest (51%).
This year’s report also revealed the same top two biggest challenges in planning and executing a data encryption strategy as 2021, namely finding the data (60%) and initially deploying the encryption technology (34%). When it comes to key management, Australia and Japan top APAC and come in second globally in reporting their challenges (65% chose “pain” ratings at or above 7 out of a 10-point scale).
“The large jump in respondents reporting consistently applied encryption policies across their organisations, together with high support from senior leadership points to a real enterprise awakening to the need for proactive data security,” said John Metzger, vice president of product marketing for digital security solutions at Entrust. “While this year’s study also reveals that there are still gaps in the implementation of encryption for several categories of data – it’s nonetheless a big step forward.”
While the results indicate that companies have gone from assessing the problem to acting on it, they also reveal encryption implementation gaps across many sensitive data categories. For example, just 37% of respondents say that encryption is extensively deployed across containers, 34% for big data repositories and 20% across IoT platforms. Similarly, while 72% of Southeast Asian respondents rate hardware security modules (HSMs) as an important part of an encryption and key management strategy, 61% said they were still lacking HSMs. A closer look at the APAC region reveals that while Japan remains the leading user of HSMs from 2021, usage has gone down from 63% last year to 55% this year. These results highlight the accelerating digital transformation underpinned by the movement to the cloud, as well as the increased focus on data protection.
Organisations seek greater control of their cloud data
This year’s study also reveals how the flow of sensitive data into multiple cloud environments is forcing enterprises to increase their security in this space. Notably, this includes containerised applications, where the use of HSMs reached an all-time high of 51%.
Almost half of respondents (43%) admit their organisations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenisation or data masking. Another 44% said they expect to do so in the next one to two years.
“The rising adoption of multi-cloud environments, containers and serverless deployments, as well as IoT platforms, is creating a new kind of IT security headache for many organisations,” added Metzger. “This is compounded by the growth in ransomware and other cybersecurity attacks. This year’s Global Encryption Trends study shows that organisations are responding by looking to maintain control over encrypted data rather than leaving it to platform providers to secure.”
When it comes to protecting some or all of their data at rest in the cloud, 32% of Southeast Asian respondents said encryption is performed in the cloud using keys generated and managed by the cloud provider. Another 46% of respondents reported encryption being performed on-premises prior to sending data to the cloud using keys their organisation generates and manages, while 19% are using some form of Bring Your Own Key (BYOK) approach.
Together, these findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud, but also that encryption and data protection in the cloud is being handled more directly.
Employees continue to represent a significant threat to sensitive data
When it comes to the sources to threats, respondents identified employee mistakes as the top threat that might result in the exposure of sensitive data (46%), with the threat from temporary or contract workers ranking second (41%). The other highest ranked threats identified were hackers (34%) and third-party service providers (27%).
These results make it clear that threats are coming from all directions so it’s distressing, but not surprising that more than three quarters (77%) of respondents admitted having suffered at least one data breach, with 41% having suffered one in the last two years.
“Over 17 years of doing this study, we’ve seen some fundamental shifts occur across the industry. The findings in the Entrust 2022 Global Encryption Trends study point to organisations being more proactive about cybersecurity rather than just reactive,” said Dr Larry Ponemon, chairman and founder of the Ponemon Institute. “While the sentiment is a very positive one, the findings also point to increasingly complex and dynamic IT landscape with rising risks that require a hands-on approach to data security and a pressing need to turn cybersecurity strategies into actions sooner rather than later.”
“As more enterprises migrate applications across multi-cloud deployments there is a need to monitor that activity to ensure enforcement of security policies and compliance with regulatory requirements. Similarly, encryption is essential for protecting company and customer data and it is encouraging to see such a significant jump in enterprise-wide adoption,” said Cindy Provin, Senior Vice President for Identity and Data Protection at Entrust. “However, managing encryption and protecting the associated keys are rising pain points as organisations engage multiple cloud services for critical functions. As the workforce becomes more transitory, organisations need a comprehensive approach to security built around identity, zero trust, and strong encryption rather than old models that rely on perimeter security and passwords.”