Time and time again in the UK we have seen some of our most high profile companies fall victim to data breaches due to lax security. Firms are now advised to accept that, due to the broadening scope of the data threat landscape, and the increasing levels of sophistication in cyber crime, it is no longer a case of if they are hacked, but when. The most obvious solution to this growing problem is to simply encrypt everything which ensures that, when data does fall into the wrong hands, it is of practically no use to anyone.
So why is it, then, that ‘encrypt everything’ is not the default strategy across the board for UK businesses?
According to the 2016 Vormetric Data Threat Report (DTR), the overriding reason for failing to adopt adequate security is the issue of ‘complexity’. In fact, 57% of respondents to this year’s survey cited it as the main barrier to adoption for data security, with “lack of staff to manage” (38%) a distant second. However, the truth of the matter is, with new technology like Live Data Transformation it couldn’t be simpler. Data can now be encrypted in place, with zero downtime, transparently and ‘behind-the-scenes’.
Concerns over ‘complexity’ have led to many organisations only encrypting data which they consider to be highly sensitive. While obviously this is better than no encryption at all, it does beg the question: what exactly is sensitive data? It is hard enough to know where your sensitive data is located, let alone classify it and determine its level of sensitivity, particularly when it is constantly changing. The DTR research confirms that most companies, in fact, do not have complete knowledge of where their sensitive data is located.
This brings us back to why it is so important to encrypt everything. By doing so, organisations will no longer need to worry about what data is sensitive and where that data is located. Instead, they can feel confident that no matter where data resides or how it will move around the organisation, when a breech does occur, any information accessed by cyber criminals would have been rendered illegible. This limits damage and prevents the kind of catastrophic financial and reputational damage companies like Talk Talk have suffered in the past.
It is also worth considering that with time ticking away until the new EU wide General Data Protection Regulation comes into play, the adoption of an ‘encrypt everything’ strategy with complementary controls in place, will allow organisations to not only better ward off would-be hackers, but also achieve compliance, and thus avoid additional penalties.