Australia is lagging behind the global average when it comes to having a consistent, enterprise-wide encryption strategy. This and other findings are highlighted in the Entrust 2022 Australian Global Encryption Trends Study, the seventeenth annual multinational survey of IT professionals conducted by the Ponemon Institute.
The study reports on the cybersecurity challenges organisations face today, and how and why organisations protect their data. Key findings include:
Companies are taking data protection more seriously, but there’s still a way to go
The global average of organisations having a consistent enterprise-wide encryption strategy leapt from 50 percent to 62 percent as they seek greater control of the data, they have distributed across multiple cloud environments.
However, in contrast, this research shows that Australian organisations are lagging behind global averages, as the number of organisations reporting to have a consistent enterprise-wide encryption strategy stagnated at 55% in 2022, from 54% in 2021.
“In Australia, we noticed that the encryption strategy has stagnated over the last two years, which was an interesting find given that last year Australia was ahead of the global average. Organisations in Australia are striving to defend sensitive data against threats as it continues to increase their use of the cloud, containers and IoT platforms, however the slow growth highlights the pain point of skills shortages in Australia” says James Cook, VP Sales, Digital Security APAC, Entrust.
The study found that the top driver for encrypting data in Australia is to protect information against specific, identified threats (68% of respondents, vs. the global average of 50% and an increase from 63% in Australia last year). The next highest driver was to comply with internal policies (53% of respondents vs. the global average of 27%).
Respondent organisations in Australia encrypt several data types at higher rates than the global averages with financial records topping the list (56% in Australia vs. 45% globally). Similarly healthcare information (32% in Australia vs. 22% globally) is also noteworthy, this research shows that the types of data being encrypted has changed from last year when intellectual property was the most encrypted data type (62% is 2021 vs. 48% in 2022), followed by employee data (60% in 2021 vs. 50% in 2022).
This year’s report also revealed that the top two biggest challenges in planning and executing a data encryption strategy were finding the data according to 55% of respondents in Australia and classifying it (36% of respondents in Australia).
While the results indicate that companies have gone from assessing the problem to acting on it, they also reveal encryption implementation gaps across many sensitive data categories. For example, in Australia alone, just 36% of respondents say that encryption is extensively deployed across containers, 28% for big data repositories and 41% across IoT platforms. Similarly, while 63% of global respondents rate hardware security modules (HSMs) as an important part of an encryption and key management strategy, half said they were still lacking HSMs. These results highlight the accelerating digital transformation underpinned by the movement to the cloud, as well as the increased focus on data protection.
Organisations seek greater control of their cloud data
This year’s study also reveals how the flow of sensitive data into multiple cloud environments is forcing enterprises to increase their security in this space. Notably, this includes containerised applications, where the use of HSMs reached an all-time high of 33% in Australia and 40% on average globally.
More than half of Australian respondents (57%) admit their organisations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenisation or data masking. However, another 30% said they expect to do so in the next one to two years.
“The rising adoption of multi-cloud environments, containers and serverless deployments, as well as IoT platforms, is creating a new kind of IT security headache for many organisations,” said John Metzger, vice president of product marketing for digital security solutions at Entrust. “This is compounded by the growth in ransomware and other cybersecurity attacks. This year’s Global Encryption Trends study shows that organisations are responding by looking to maintain control over encrypted data rather than leaving it to platform providers to secure.”
When it comes to protecting some or all of their data at rest in the cloud, 51% of those surveyed in Australia said encryption is performed in the cloud using keys generated and managed by the cloud provider. Another 24% of respondents reported encryption being performed on-premises prior to sending data to the cloud using keys their organisation generates and manages, while 16% are using some form of Bring Your Own Key (BYOK) approach.
Together, these findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud, but also that encryption and data protection in the cloud is being handled more directly.
Employees continue to represent a significant threat to sensitive data
When it comes to the sources of threats, 59% of Australian respondents identified employee mistakes as the top threat that might result in the exposure of sensitive data, compared with the global average of 47%. The other highest ranked threats identified were system or process malfunction (36%), the threat from temporary or contract workers (29%), and hackers (15%).
These results make it clear that threats are coming from all directions so it’s distressing, but not surprising that nearly three quarters (85%) of respondents admitted having suffered at least one data breach, and just about half (47%) having suffered one in the last 12 months.
“Over 17 years of doing this study, we’ve seen some fundamental shifts occur across the industry. The findings in the Entrust 2022 Global Encryption Trends study point to organisations being more proactive about cybersecurity rather than just reactive,” said Dr Larry Ponemon, chairman and founder of the Ponemon Institute. “While the sentiment is a very positive one, the findings also point to increasingly complex and dynamic IT landscape with rising risks that require a hands-on approach to data security and a pressing need to turn cybersecurity strategies into actions sooner rather than later.”
“As more enterprises migrate applications across multi-cloud deployments there is a need to monitor that activity to ensure enforcement of security policies and compliance with regulatory requirements. Similarly, encryption is essential for protecting company and customer data and it is encouraging to see such a significant jump in enterprise-wide adoption,” said Cindy Provin, Senior Vice President for Identity and Data Protection at Entrust. “However, managing encryption and protecting the associated keys are rising pain points as organisations engage multiple cloud services for critical functions. As the workforce becomes more transitory, organisations need a comprehensive approach to security built around identity, zero trust, and strong encryption rather than old models that rely on perimeter security and passwords.”