New study reveals that organizations appear to struggle in their ability to assess and remediate data encryption risks and policy violations.
The study, Operationalizing Encryption and Key Management, was recently released by Fortanix Inc. and conducted by Enterprise Strategy Group (ESG). The findings showed lack of encryption is the primary contributor to sensitive data loss, even though confidence in cryptographic capabilities is strong. At the same time, encryption is pervasive and on the rise for data at rest, in motion and in use.
The study surveyed nearly 400 IT, compliance, DevOps and cybersecurity professionals involved with encryption and data security technologies and processes across the U.S. and Canada. All respondents were from either large/mid-market organizations within industries including manufacturing, financial, technology and healthcare.
The survey found that 90% of respondents agreed that encryption has a positive impact on the various facets of their network security, data security, and overall security, with more than 50% saying it has a significantly positive impact in each of these areas. The report also uncovered that businesses want to encrypt their data, but they often don’t know how. A lack of adequate cybersecurity staff and expertise leads to confusion around where and when to apply encryption, management complexities, and difficulty assessing cybersecurity. Similarly, a lack of encryption remained the top reason for data loss for almost 33% of the respondents, and 25% experienced data loss due to policy violations such as small key size.
Determining when and where to apply encryption emerged as the most difficult task for tech professionals, indicating the need for solutions that provide consolidated discovery and assessment of cryptographic keys across hybrid, multicloud environments to protect critical assets and enable security, cloud operations, and developer teams to jointly assess risk posture and remediate compliance gaps.
Other learnings into IT professionals' challenges and priorities on encryption include:
- 76% of respondents are aware of post-quantum cryptography (PQC), including 37% already actively testing it and 14% that are currently using it . Costs, budgets, and staffing are the biggest limitations in PQC adaptation.
- Roughly 81% of respondents said their organizations have dedicated teams to handle encryption, key management, and certificate management, with 63% of those reporting directly into the C-Level.
- Key management systems, data loss prevention, and hardware security modules are the top three security technologies used by respondents to secure their organization's data. Fewer than a quarter (24%) currently have a single unified key management system in place, although that is expected to grow to 50% soon. Meanwhile, distributed or federated key management system usage will shrink from 74% to just 47%.