The Rise of Device Encryption

Written by

McDonalds, Volkswagen and Audi have all recently disclosed that confidential personal information belonging to their customers has been compromised. This is further proof – should we need it – that no organization is immune to a data breach, and that even the world’s biggest security budgets and teams struggle to prevent data being lost, leaked or stolen.

Company-wide encryption of data is being increasingly recognized as a straightforward way of mitigating this risk – locking information down so that whatever happens around it, it remains unintelligible to anyone not authorized to access it. This has been underlined by US President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity, which stipulates the requirement to encrypt data both at rest and in transit.

The good news is that the deployment of encryption is increasing, particularly on portable devices, as highlighted by Apricorn’s annual survey. A third (31%) of IT leaders who responded said their organization now requires all data to be encrypted as standard, while 32% say there has been a rise in encryption across all mobile and removeable devices in the past year. A quarter (24%) of organizations have a policy to encrypt all data when it’s being stored on their systems or in the cloud.

The findings also illustrate how a lack of encryption can make an organization vulnerable: 12% of the IT leaders surveyed said that this had been the cause of a data breach within their business in the last year.

31% of IT leaders said their organization now requires all data to be encrypted as standard

Protection and Control of Removable Media

Use of encryption is particularly advanced when it comes to external hard drives and USBs, with 77% of IT leaders confirming that their organization requires encryption of all data held on such devices.

Many of these have policies in place that enable them to control which removable media devices are plugged into their networks and systems, with more than half (51%) limiting their employees to using devices that have been approved by the organization.

A third (33%) insist on hardware-encrypted devices as this provides better protection than software encryption, as the keys are held safely in a crypto module that stops brute force attacks and unauthorized access. Better still, if the device has its own PIN pad for authentication, all authorization and cryptographic operations take place within the device itself, meaning it never shares critical security parameters with a host computer.

Plans for Expansion

The increase in the use of encryption looks set to continue. When questioned on how they plan to extend encryption across their organization, the IT decision makers surveyed by Apricorn said they intend to expand usage on USB sticks (19%), laptops (16%), desktops (12%), mobiles (22%) and portable hard drives (18%).

The plans for increased encryption are hugely positive, but requirements will need to be firmly embedded in remote and hybrid working policies if they are to be effective. Many employees will be combining home and office working for at least the next few months – perhaps permanently. The threat surface will expand as staff access networks, systems and databases from diverse locations, using both business and personal devices. Devices are likely to be a particular point of vulnerability in this highly mobile, complex working environment, giving attackers a convenient potential entry point for gaining access to corporate data and networks.

77% of IT leaders require encryption of all data held on devices such as external hard drives or USBs

Building a Culture of Security

Employee education will be especially important in ensuring security and encryption policies are followed. More than a quarter of the IT leaders surveyed by Apricorn believe their remote workers simply “don’t care” about security, which indicates an alarming lack of engagement.

Every individual must understand their responsibilities around encryption. They’ll need clear briefings on the company’s policies, as well as which tools, devices and technologies they’re permitted to use, and how to implement them safely. By providing employees with removable USBs and hard drives that automatically encrypt all data written to them, companies can give the entire workforce the capability to securely store data offline and move it between office and home safely.

Encryption offers organizations of all sizes a way to facilitate productive and flexible working while keeping critical data and systems protected. The fact is, the huge brands mentioned at the start of this article have the power to weather the storm of a data breach. Their share price may take a temporary knock, and they may end up facing a large fine, but they have the customer loyalty and resources to take the hit. This isn’t the case for every organization. Encrypting all data as standard will not only mitigate against the potentially crippling financial cost of a data breach, it will also protect the company’s reputation and the trust of its customers.

Brought to you by

What’s hot on Infosecurity Magazine?