Encryption is an effective method of ensuring data protection, yet its adoption within companies and organisations is patchy. Encryption: why such a big problem? We examine a major IT security issue.
Worldwide, only one in two companies systematically applies encryption measures as part of their strategy to protect sensitive data. A figure of 50%, taken from a study by Entrust, which may seem satisfactory, but should in fact be a warning. In effect, this means that one out of two companies does not systematically apply a data encryption strategy...
Is there still any need to point out that encryption is one of the basic pillars of any IT security policy? It is a simple and effective way to protect data by ensuring that it is not accessed, distorted or stolen by malicious third parties. However, many companies still fail to implement such practices systematically. Here’s why.
Data encryption in early 2023
Firstly, what is encryption? Encryption is a technique which protects data by rendering it unreadable. Only authorised parties can then retrieve the access keys required to decrypt the content. Encryption can be full-disk (at device level) or individual (at file level). There are a number of best practices that need to be implemented, as Guillaume Boisseau, Head of Professional Services at Stormshield, points out: “A good principle to adopt is to encrypt all sensitive data, i.e. data that is vital to the company and its operations. For example, sensitive data such as invitations to tender and all kinds of information on customers, suppliers or subcontractors.”
With the advent of computers and the explosion in data exchanges from the 1980s onwards, some members of the general public and companies began to take an interest in encryption methods. More recently, new mobile practices and the widespread use of collaborative tools have brought the issue of data protection and the need for encryption back to the fore. But this momentum has been checked by the promise of native encryption that has blossomed in messaging apps such as Telegram, Signal or WhatsApp, or in the Microsoft 365 and Google Workspace collaborative platforms. Although “a number of players are now offering native encryption solutions,” says Joseph Graceffa, President of CLUSIR Nord de France, “we need to bear in mind that this means handing over the access keys to these same players.” After all, when introducing protection for sensitive data, the means of accessing this information become just as critical as the data they are protecting. And in cases where a third party is given the responsibility of managing them, companies have an urgent need to retain control of them. Control over such access keys is even more important in cases where the trusted third party also hosts the sensitive data, as it could also easily access this data itself. Control over the encryption keys ensures that the storage servers never see either the data in plain-text form or the key that is used to decrypt it. Basic corporate digital hygiene concepts to ensure the security and confidentiality of sensitive data. But in practice, encryption is struggling to gain ground in companies – in terms both of the systems used and the data stored in terminals and servers.
The problematic issue of corporate data encryption implementation
Today, data is ubiquitous, and is exchanged both inside and outside the company. According to research in 2021 by the Ponemon Institute for the Entrust company, only 50% of companies surveyed said they had a comprehensive encryption plan in place for the entire company, 37% said they had an encryption policy for a few applications only, while 13% said they had no data encryption policy at all. Resistance to the widespread use of computer data encryption methods is therefore evident. But what’s behind this reluctance to encrypt data?
The reasons for this low adoption rate relate more to organisational and operational issues than to technology choice. The first difficulty is an organisational one – to create a data management policy. Yet this step is essential to ensure data protection, to comply with the regulations in force (data protection authority, GDPR, etc.), and even to capitalise on their analysis. Next, at operational level, it is necessary to have the skills to manage this project and to implement an effective PKI (Public Key Infrastructure). This fundamental corporate encryption tool is a set of physical components, human procedures and software designed to manage user/employee keys. An access key management system of this kind covers stages from key generation through to distribution and provision, including obsolescence management and renewal. “The problem often boils down to issues of this nature, relating to the deployment of tools for managing and using encryption keys,” says Joseph. In addition, data classification is an issue that needs to be taken seriously in order to provide an understanding of the different levels of data sensitivity. The raising of user awareness is another organisational issue, and one that goes hand in hand with a clear classification process. That’s because effective data protection always starts with the person who generates the critical data. This is what raising awareness is all about: making users aware of how to apply the classification process correctly. And all the above internal issues have not even touched on the subject of interoperability.
In addition to these difficulties for IT and security teams, it is commonly said that computer data encryption is “sacrificed at the altar of habit and convenience.” To avoid this pitfall, encryption solutions need to be simple, easy and transparent to both users and administrators. Firstly, CISOs should consider strategies that enable their employees to reconcile their daily usage habits with a high level of security, going beyond general surface encryption and also adopting individual file encryption. And secondly, software publishers have a role to play in providing advice and operational support. “It’s the solution’s job to adapt to the user’s daily life, not the other way around,” says Guillaume. Eliminating friction points and optimising the user journey is therefore the way forward for teams seeking to integrate these new methods into their digital hygiene routines. “The tools must be usable for employees who handle sensitive data on a daily basis, as well as for the average user. It is then the job of the teams responsible for developing and deploying the solution to ask themselves the right questions,” Guillaume insists. The “anywhere, anytime” adage must also apply, and it must be possible to use encryption solutions on all devices, from workstations to laptops and tablets.
The issue of corporate computer data encryption is therefore a particularly acute one at a time of widespread cyber threats. Although companies have already implemented a number of methods, particularly in respect of intellectual property, payment data and financial data, encryption of all sensitive data in companies remains a major issue… especially with an even more pressing threat looming on the horizon: the advent of quantum computing. Once this technological revolution is underway, the issue will no longer be one of encryption alone, but of post-quantum encryption. In the meantime, more needs to be done to deliver optimum levels of security for all.