Forty-one percent of enterprises have an encryption strategy applied consistently throughout the organization (up from 37 percent last year), according to the results of Thales’ 2017 Global Encryption Trends Study.
The report, based on a Ponemon Institute survey of more than 4,800 people across several industry sectors, also found that 46 percent of respondents perform encryption on-premise prior to sending data to the cloud, and 21 percent encrypt in the cloud using keys they generate and manage on premises.
Surprisingly, 37 percent of enterprises turn over complete control of keys and encryption processes to cloud providers.
Compliance is the top driver for encryption, cited by 55 percent of respondents — followed by enterprise intellectual property (51 percent), customer information protection (49 percent) and protection from external threats (49 percent).
Fifty-nine percent of respondents said determining where sensitive data resides in their organization is the greatest challenge to encryption deployment, followed by initially deploying the encryption technology (47 percent), classifying which data to encrypt (36 percent), ongoing management of encryption and keys (31 percent), and training users to use encryption appropriately (16 percent).
Encrypting in Response to Threats
“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyber attacks, as well as the need to protect a broadening range of sensitive data types,” Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement.
“Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy,” Ponemon added. “Encryption and key management continue to play critical roles in these strategies.”
Separately, a Venafi survey of more than 1,540 information security professionals found that 23 percent of respondents have no idea how much of their encrypted traffic is decrypted and inspected.
“Encryption offers the perfect cover for cyber criminals,” Venafi chief security strategist Kevin Bocek said in a statement. “It’s alarming that almost one out of four security professionals doesn’t know if his or her organization is looking for threats hiding in encrypted traffic.”
“It’s clear that most IT and security professionals don’t realize the security technologies they depend on to protect their business are useless against the increasing number of attacks hiding in encrypted traffic,” Bocek added.
Inspecting Encrypted Traffic
Forty-one percent of respondents said they encrypt at least 70 percent of their internal network traffic, while 57 percent said they encrypt at least 70 percent of their external Web traffic.
Just under a fifth (19 percent) of respondents said they decrypt and inspect all of their encrypted traffic.
Forty-one percent of respondents believe they can detect and respond to a cyber attack hidden in encrypted traffic within a week — and 20 percent believe they can do so without one day.
“Although the vast majority of the respondents inspect and decrypt a small percentage of their internal encrypted traffic, they still believe they can quickly remediate a cyber attack hidden in encrypted traffic,” Bocek said. “The problem is that attackers lurking in encrypted traffic make quick responses even more difficult.”
“This is especially true for organizations without mature inbound, cross-network, and outbound inspection programs,” Bocek added. “This overconfidence makes it very clear that most security professionals don’t have the strategies necessary to protect against malicious encrypted traffic.”