More Enterprises Encrypting Data, But Spending Less to Do It: Survey

An annual survey of encryption deployment in businesses finds that slightly more firms have a comprehensive strategy, with retail and health care firms showing the most significant gains.

Data Encryption

Following major breaches in 2014—which hit retail and health care firms the hardest—enterprises have increasingly adopted encryption strategies despite the majority having significant difficulties deploying the security technology, according to a survey conducted by the Ponemon Institute.

The survey, released on Apr. 20, found that 64 percent of companies have an encryption strategy that is either consistently applied across all business data or that secures different data types in different ways. More than a third of companies had extensively deployed encryption technologies, according to the report, which was sponsored by security firm Thales e-Security.

While financial services continued to be the industry that led in deploying encryption deployment in 2014, the greatest percentage gains were in the health care, pharmaceuticals and retail industries.

"These are less sophisticated industries than the financial side, and making them aware of the lessons that have been learned by the banks can help them figure [it] out," Richard Moulds, vice president of product strategy at Thales e-Security, told eWEEK.

Over the past three years, privacy and data-security incidents have highlighted corporate failures in protecting sensitive data. In June 2013, reports of widespread surveillance and data collection by the National Security Agency (NSA) and international intelligence organizations underscored the vulnerability of unencrypted data. The huge data breaches that hit retail giant Target and health insurance companies Anthem and Premera further highlighted the privacy risks posed by unsecured data.

The Ponemon survey found that most companies—64 percent—encrypt to comply with regulations that mandate they secure data or protect the privacy of their customers. Other reasons for encrypting data included protecting against specific threats and to shield data from compliance requirements.

On average, 36 percent of companies had a complete encryption strategy applied across the business. Yet, companies in three nations were more proactive in deploying encryption: privacy-sensitive Germany led the pack with 59 percent of companies establishing a comprehensive strategy, while U.S. and Japanese firms were above average with 43 percent and 39 percent of businesses, fully deploying encryption, respectively, according to the study.

Spending on encryption fell in 2014, however. The amount of money spent, as a percentage of IT security budget, fell to 15.7 percent in 2014 from 18.2 percent the prior year. Overall, security spending dropped slightly in 2014 to 9.2 percent of the entire IT budget from 9.9 percent in 2013. IT security spending has increased steadily over the past decade, however, from 7.5 percent in 2005, according to the Ponemon report.

A major hurdle in deploying encryption is identifying where sensitive data resides in the network, respondents told the Ponemon Institute.

"Finding the data is at the top of the list of the encryption problems for companies," Moulds said. "Data is like a virus. It moves all over the company, so figuring out where it has gone is difficult."

Companies are most drawn to encryption systems that can secure data both on-premise and in the cloud, the survey found. Employee and human-resources information are the data types most likely to be encrypted by businesses, followed by payment-related data and financial records.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...