Data protection may have been made the focus of companies’ concerns by various regulations, including the GDPR, yet this issue still requires greater awareness and an associated culture. As a result, organisations need to deploy methods to protect their data in the face of increasingly sophisticated cybercriminals and in increasingly complex digital environments.
In its 2025-2028 strategic plan, the CNIL presented an overview of data breaches over the last three years. Since 2022, the CNIL has received more than 14,000 notifications of data breaches. In addition to this assessment, the agency has drawn up a strategic plan to help both individuals and organisations protect their assets and data. With an average of almost 13 data compromises every day, companies are no longer wondering if they are going to be attacked, but when. This is why, in addition to solutions to limit cybercriminal access to corporate networks, measures must also be put in place to reduce the impact of intrusions. To achieve this, encryption – which makes sensitive data inaccessible – is essential.
Cyber-criminals on the hunt for data
In 2024, 5,629 data breaches were reported to the CNIL – an increase of 20% on the previous year. In the majority of cases, threat actors have recovered information from organisations by gaining access to connections, stealing the login details of legitimate partners or employees, or exploiting vulnerabilities in information systems.
Cyber-criminals also sometimes implement a “Man-in-the-Middle” (MiTM) cyberattack strategy. In this type of intrusion, an adversary secretly steps in between two parties who think they are communicating directly with each other. Every piece of information (sensitive data, credentials and messages) passes via the adversary, enabling it to be stolen. This is why security solutions need to be put in place to prevent information from being exploited by cybercriminals.
Encryption: a necessary protection measure
The purpose of encrypting data is to make it unreadable in order to protect it. Only a decryption key allows authorised users to view the content. To be fully effective, data must be encrypted from end to end, to ensure that it remains permanently inaccessible to threat actors, particularly if it is transferred to storage or shared outside the company; for example, in the cloud.
However, some companies find it difficult to implement an encryption solution themselves, having entrusted this responsibility to their application or cloud providers. Applications such as WhatsApp or Google Workspace have their own encryption systems, often applied on the server side (“at-rest encryption”). On the customer side, some applications create partnerships with cybersecurity publishers to encrypt data too, but this remains limited. However, delegating this task to third parties also means entrusting them with the access keys, and in the end, the risk becomes all the more severe when the company loses control over the information it needs to protect, particularly during data transfers. This is why it is essential to keep decryption keys within the organisation, so as to have total visibility over access to information, particularly sensitive data.
Sensitive data, as defined by the CNIL, “is a special category of personal data. This includes information that reveals a person’s alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and also the processing of genetic and biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.” This type of data is particularly strongly regulated, and via the GDPR in particular. So, despite the trust placed in it by its suppliers, it is important to maintain impeccable cyber hygiene so as not to increase risk through third-party access. It is therefore essential that sensitive data is never accessible to the storage servers in plaintext form.
Cybersecurity, and especially encryption, are sometimes sacrificed in the interests of ease of use; yet you would never dream of leaving your front door open for greater convenience, and exactly the same principle applies to data security. Especially since, with simple, end-to-end solutions, there are no interoperability problems and no difficulties for users. Furthermore, this protection technology is only the first step towards longer-term security which, with the pressing threat of quantum computing, will require even higher levels of encryption.
Quantum computing: the future of attacks and protection
Although quantum computing is still in its infancy, this revolution could be a double-edged sword, being used by both security teams and threat actors. Today, according to ANSSI, some cyber-criminals are acquiring expertise in “store now, decrypt later” attacks, which involve stealing and storing sensitive encrypted data that has a long lifespan with the aim of reading it when quantum technology makes this possible – perhaps years later.
This is why organisations that are still unwilling to commit should turn to a simple, end-to-end encryption system: not only to protect their sensitive assets now, without taking any risks when transmitting data, but also to prepare for the cybersecurity world of the future. By the time quantum and post-quantum technologies have become ubiquitous, it will be too late to protect ourselves. So it's vital to start thinking about encryption and data protection now.
