A new Vera report reveals stark numbers behind the mounting toll of data breaches triggered by cybercrime and accidents.
One of the most recognized and mandated security controls, installed encryption tools protect just four percent of breached files. Meanwhile, compliance-focused mindsets and perimeter-driven encryption deployments keep organizations’ encryption investments fundamentally misaligned with how employees and business partners use crown jewel data.
Vera surveyed cybersecurity and IT decision-makers at North American organizations across healthcare, finance, government and other industries to understand how enterprises value and use encryption and access control technologies.
Sixty-one percent of respondents believe compliance drives the need for encryption, not users’ data protection, heightening the disconnect between encryption and security. Conversely, in order to ensure the security of files that are distributed or shared, 41 percent of companies resort to banning the use of file-sharing sites, hindering productivity and collaboration.
“Our report confirms what security, privacy and risk professionals are realizing – the speed and scale of how data moves across fluid organizations and their partners today is the biggest factor upending data protection,” said Carlos Delatorre, CEO at Vera. “In the current post-cloud, collaborative environment, organizations must secure and protect data throughout its entire lifecycle. Always-on file security enables them to do that seamlessly, effectively while remaining compliant with regulations. The news is not all bad – organizations reorienting operations around more collaborative cloud and mobile fabrics are at a crossroads where they can capitalize on these changes to seamlessly add far more effective visibility and access controls.”
- Almost two-thirds of respondents rely on their employees to follow security policies to ensure the security of distributed files, yet 69 percent are very concerned about their lack of control when files are sent outside of the network or placed in cloud collaboration.
- Only 35 percent of respondents build encryption into security processes and procedures across the board, while others cite difficulties with deploying encryption properly as the reason it is deprioritized.
- Digital rights management is only used by 26 percent of respondents, with antivirus predominantly seen and used as the main preventative security technology.
Vera’s recommendations for IT and security teams:
- Follow the workflow to find hidden data exposures: Encryption mechanisms often cannot keep up with data and users’ changing roles. Study how employees actually use data to pinpoint areas where encryption cannot reach, or is disabled out of necessity.
- Resist “attack only” thinking: Well-meaning employees who make mistakes outnumber malicious threats in most organizations, yet exotic malware in the headlines can skew cyber risk thinking to focus on distracting “What if?” attack scenarios rather than building in visibility to help employees and managers contain accidental data spills and enforce policies.
- Align resources to cohesively tackle cloud, mobile and third-party forces: Multiplying mobile devices and business partners present a dizzying array of new places data must travel. However, routing this data access through approved cloud and other centralized services helps IT, security and business leaders restore visibility and consolidate control by infusing these platforms with embedded encryption and access controls over files.