Data protection with encryption, considered one of the most recognized and widely implemented security controls today, is still a major challenge for companies. According to the American company Vera Security, only 4% of data breaches are considered “secure”, where encryption renders the stolen files useless.
Encryption is usually purchased and deployed for purposes related to compliance with requirements. In other words, it is usually not aligned to deal with real-world security risks, such as data theft and accidental employee excesses.
In fact, applying encryption technology effectively is one of the main challenges organizations face in achieving satisfactory data protection performance.
To give you an idea of the situation, data presented in a survey by Vera Security shows that 61% of respondents believe that compliance drives the need for encryption, not the protection of user data.
This further increases the disconnect between encryption and security.
The report also cites perimeter-oriented encryption deployments as one of the main reasons why organizations’ encrypted data protection investments are misaligned with how employees and business partners actually use critical data.
The challenge of protecting data with encryption throughout the business lifecycle
For professionals specializing in security, privacy and risk, the speed and scale of how data moves through organizations and their partners today are the factors that most increase the need for data protection.
Especially in today’s collaborative post-cloud environment, organizations must invest in data protection with encryption throughout the business lifecycle.
The main approach is to use file security with always-on encryption to protect data during its lifetime. This ensures compliance with existing laws and regulations. This strategy aims to provide strong encryption, real-time access control and defined policy management.
Another important finding in the report is that almost two thirds of respondents rely on their employees to follow security policies. This is the only way to guarantee the protection of distributed files.
However, 69% are very concerned about the lack of control over documents sent outside the network or collaborated on in the cloud. Finally, only 26% have the ability to locate and revoke access quickly.
The survey also shows that only 35% of respondents incorporate data protection with encryption into security processes in general. Meanwhile, others cite difficulties in implementing technology correctly as the reason for its low prioritization in the organization.
One of the main conclusions of the research is that encryption is not seen as an “easy win”. It is also considered difficult to deploy and use.
Recommendations for turning this game around with cryptography
Despite the difficulties in adopting data protection with encryption in companies, it is worth noting that there are data-centric security technologies that can provide real-time tracking and access control, without inconveniencing the end user. The recommendations are as follows:
1. IT and business teams need to follow the company’s workflow to find security breaches
These teams will then be able to find hidden data exposures. In addition, it should be noted that encryption mechanisms generally cannot keep up with data and new user functions.
Thus, organizations need to study how employees actually use sensitive information to identify areas where data protection with encryption cannot reach or is disabled out of necessity.
However, a team that knows the organization’s sensitive data can help map it out so that IT can deploy encryption correctly. That’s why the business team must be a multidisciplinary team involving various areas of the company.
2. Invest in preventing attacks
Organizations should avoid reactive thinking about incidents (“actions to be taken only after the attack”). After all, in most organizations, well-intentioned employees make mistakes that outweigh malicious threats.
For this reason, companies are advised to ensure clear visibility of their processes to help employees and managers contain accidental data exposure and apply their policies to prevent data theft and loss of privacy.
The question now is when my company’s data will leak. With this in mind, it becomes clearer how to define an appropriate strategy that will prevent the attack and ensure that, if it does occur, the data remains protected.
3. Align the business, partners and technologies to protect data with encryption
Companies need to align their technological resources – and this includes encryption – to deal with cloud, mobile and third-party technologies. The multiplication of mobile devices and business partners presents a wide variety of new places where data must travel.
Routing this data access through cloud and other centralized services helps IT, security and business leaders restore visibility and consolidate control by including this data on platforms with built-in encryption and file access controls.
The strategy for meeting the challenge of data protection with encryption needs to be assertive
Finally, the main reasons given by those interviewed in the survey for adopting encryption were:
- Data is not taken seriously enough (40%);
- Implementing an encryption policy on all data is considered very difficult (18%);
- It’s not easy to keep track of where data is being stored (17%);
- Internal applications have not been tested to ensure that data is protected in accordance with the policy (13%);
- Administrators are unable to configure encryption controls correctly (12%).
Against this backdrop, we can see that we have a major challenge ahead of us. Companies cannot leave the burden of data security to IT teams alone.
Instead, they must raise awareness, implement and properly test an assertive data protection strategy with encryption.
And for these security objectives, investing in technology is essential.
When planning encryption needs, map information flows across all applications and the tables that store relevant information. Then apply data protection with encryption for storage and transmission. And don’t forget data access control either.
Finally, to further protect the organization’s data, be careful with documents or applications shared between users. They are easy to access and share, but can put confidential information at risk.
Encryption-based access controls again ensure that only authorized users can access certain data. Track and monitor data usage to ensure that access controls are effective.
Read more about data protection and privacy on our blog and find out how to apply encryption technology effectively in your company by contacting Eval’s experts.
We are available to answer your questions and help you define the best ways to protect your organization against data leakage and theft.
EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.