02:20 PM
Connect Directly

Employee Data More Exposed Than Customer Data

New encryption report shows midsized organizations fail to encrypt all the sensitive things -- including their own intellectual property and financial data.

Midsized companies do a better job protecting their customer information than that of their own employees or their internal intellectual property, a new study found.

Nearly one-third of companies and organizations with 100- to 2,000 employees in the US, Canada, India, Australia, Japan, and Malaysia, say they don't regularly encrypt their employees' bank information, and 43% don't always encrypt human resources files. Nearly half say they don't routinely encrypt employee health information, according to the Vanson Bourne survey conducted on behalf of security vendor Sophos.

And at a time when the US and other governments are trying to nip cyber espionage for economic gain in the bud via talks with China--one of the main offenders of that practice--nearly one-third of midsized organizations aren't routinely encrypting their financial data and 45% say they don't always encrypt their intellectual property.

Encryption remains a big missing link in many data breaches, and apparently, in many organization's security practices. The study found that 44% of midsized companies say they widely deploy encryption, while 43% do so at some level. US companies encrypt the most (54%) and Malaysia (26%), the least. And overall, just 38% of smaller organizations (100- to 500 employees) encrypt widely, while half of larger ones (from more than 500 to 2,000 employees) do so.

Certain vertical industries of course, such as financial services, adopt encryption more widely.

"That companies are prioritizing customer over employee data is not surprising. But it is surprising how much employee data is exposed out there. And [that they are] leaving intellectual property and financial data unencrypted was just shocking to me," says Marty Ward, vice president of product marketing at Sophos.

While some 84% of respondents say they're worried about cloud security, about 39% are encrypting all files they send to the cloud, and 47%, some of their files.

Despite the counterintuitive practice of not widely protecting employee and internal organization data with encryption, there are signs of improvement and gradual adoption of encryption as a routine best practice. "Two years ago, the number of them not encrypting was in the 75% range. The fact that we're going toward the 50-50 range is actually an awareness of their part that they don't want to be [the organizations] in the press" hit by a big breach, Ward says.

And the move toward file encryption versus pure disk encryption is also a positive development, he says.

So why are so many midsized organizations still not encrypting all the (sensitive) things?

Nearly 40% cite budget constraints; 31%, performance tradeoffs with encryption; and 28%, lack of encryption deployment know-how. About one-fifth say they don't have legal or regulatory requirements for encryption, and 19% say encryption isn't effective for locking down sensitive information.

The performance and complexity hurdle arguments are "myths that have been busted," Ward contends. "Encryption is a lot simpler" than it once was, and in many cases, invisible to the user, he notes. But given some of the respondents come from smaller firms with few security resources, the complexity argument isn't surprising.

Meanwhile, the good news is that most of the organizations say they do have plans to more widely encrypt their data in the next one- to two years, the report says.


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/20/2016 | 2:54:11 PM
Re: Encryption benefits
Kelly, encryption in transit, as your link talks about, also makes sense. As you said, only risks are with tools needing to analyze the traffic data to accomplish something.

I'm specifically talking about data at rest in storage. Essentially ending up ransomwaring yourself with lost or corrupted keys. My point is, if the hack just involves getting system access with credentials allowed to decrypt the file, what have you gained? What I was hoping to gain from Dark Reading was some insight into what kind of hacks that type of encryption would help versus not help.

For example, seems like a RAT hack would not help. Bad guy just using malware to impersonate you, who has access to decrypt. But are RAT's 10% of hacks and some other technique at 70% where storage level encryption would help?

Or am I not looking deep enough here on this network layer encryption? Are you suggesting it would block a RAT from sending the file to bad guys server where he could read it? Meaning RAT couldn't open encrypted file with user's credentials/keys, save file as CSV, then transmit to bad guys server? If that is the case, then that is overwhelmingly good thing.

I'm just struggling with ransomware being such a problem now why you would take risk of doing that to yourself. albeit unintentionally?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
1/20/2016 | 2:22:53 PM
Re: Encryption benefits
@TerryB, you raise a great point, and it's something we've addressed in previous stories. This report didn't go into that aspect, and obviously not all data must be encrypted. Access to encrypted data can be a challenge with some security tools unable to do their work with if the network flows are encrypted.

Here's a Q&A we did with the Internet Architecture Board's chair on the call for making encryption the new normal:

User Rank: Ninja
1/20/2016 | 1:50:58 PM
Encryption benefits
A good article from you (Dark Reading) would be to explain better how encryption helps in certain types of breaches. I get the lost laptop/hard drive scenario. But if hacked with legitimate credentials and accessing data thru the intended application under those credentials, how does it help? To be invisible to user experience, means encryption/decryption takes place along with translation from zeros/ones to UNICODE to ASCII/EBCDIC to readable data in whatever (human) language that platform is using. Accessed under legit credentials, how does it afford any more protection?

As an IT lead at a midsize company, with no public interface outside a two factor VPN tunnel, I see the risk in encryption. You have a key problem and your data is gone, unusable. So the decision becomes which is higher risk, being hacked in a way encryption would help or some tech screwup where your keys are messed up and data unusable?

I've yet to see an article that clearly spells out choosing between these two. Especially when your data isn't clearly monetizable by someone.
User Rank: Ninja
1/20/2016 | 7:18:40 AM
This is why it's so dangerous when politicians who have no idea what they are talking about rail against encryption. That's not going to encourage business heads to learn more about it or consider its usage of they're told in the news that hiding information is a terrible thing.

Everything should be encrypted if not being accessed by the creator of intended recipient. 
User Rank: Apprentice
1/20/2016 | 2:02:16 AM
I agree
Obviously it is. I agree with you.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.