02:20 PM
Connect Directly

Employee Data More Exposed Than Customer Data

New encryption report shows midsized organizations fail to encrypt all the sensitive things -- including their own intellectual property and financial data.

Midsized companies do a better job protecting their customer information than that of their own employees or their internal intellectual property, a new study found.

Nearly one-third of companies and organizations with 100- to 2,000 employees in the US, Canada, India, Australia, Japan, and Malaysia, say they don't regularly encrypt their employees' bank information, and 43% don't always encrypt human resources files. Nearly half say they don't routinely encrypt employee health information, according to the Vanson Bourne survey conducted on behalf of security vendor Sophos.

And at a time when the US and other governments are trying to nip cyber espionage for economic gain in the bud via talks with China--one of the main offenders of that practice--nearly one-third of midsized organizations aren't routinely encrypting their financial data and 45% say they don't always encrypt their intellectual property.

Encryption remains a big missing link in many data breaches, and apparently, in many organization's security practices. The study found that 44% of midsized companies say they widely deploy encryption, while 43% do so at some level. US companies encrypt the most (54%) and Malaysia (26%), the least. And overall, just 38% of smaller organizations (100- to 500 employees) encrypt widely, while half of larger ones (from more than 500 to 2,000 employees) do so.

Certain vertical industries of course, such as financial services, adopt encryption more widely.

"That companies are prioritizing customer over employee data is not surprising. But it is surprising how much employee data is exposed out there. And [that they are] leaving intellectual property and financial data unencrypted was just shocking to me," says Marty Ward, vice president of product marketing at Sophos.

While some 84% of respondents say they're worried about cloud security, about 39% are encrypting all files they send to the cloud, and 47%, some of their files.

Despite the counterintuitive practice of not widely protecting employee and internal organization data with encryption, there are signs of improvement and gradual adoption of encryption as a routine best practice. "Two years ago, the number of them not encrypting was in the 75% range. The fact that we're going toward the 50-50 range is actually an awareness of their part that they don't want to be [the organizations] in the press" hit by a big breach, Ward says.

And the move toward file encryption versus pure disk encryption is also a positive development, he says.

So why are so many midsized organizations still not encrypting all the (sensitive) things?

Nearly 40% cite budget constraints; 31%, performance tradeoffs with encryption; and 28%, lack of encryption deployment know-how. About one-fifth say they don't have legal or regulatory requirements for encryption, and 19% say encryption isn't effective for locking down sensitive information.

The performance and complexity hurdle arguments are "myths that have been busted," Ward contends. "Encryption is a lot simpler" than it once was, and in many cases, invisible to the user, he notes. But given some of the respondents come from smaller firms with few security resources, the complexity argument isn't surprising.

Meanwhile, the good news is that most of the organizations say they do have plans to more widely encrypt their data in the next one- to two years, the report says.


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/20/2016 | 2:54:11 PM
Re: Encryption benefits
Kelly, encryption in transit, as your link talks about, also makes sense. As you said, only risks are with tools needing to analyze the traffic data to accomplish something.

I'm specifically talking about data at rest in storage. Essentially ending up ransomwaring yourself with lost or corrupted keys. My point is, if the hack just involves getting system access with credentials allowed to decrypt the file, what have you gained? What I was hoping to gain from Dark Reading was some insight into what kind of hacks that type of encryption would help versus not help.

For example, seems like a RAT hack would not help. Bad guy just using malware to impersonate you, who has access to decrypt. But are RAT's 10% of hacks and some other technique at 70% where storage level encryption would help?

Or am I not looking deep enough here on this network layer encryption? Are you suggesting it would block a RAT from sending the file to bad guys server where he could read it? Meaning RAT couldn't open encrypted file with user's credentials/keys, save file as CSV, then transmit to bad guys server? If that is the case, then that is overwhelmingly good thing.

I'm just struggling with ransomware being such a problem now why you would take risk of doing that to yourself. albeit unintentionally?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
1/20/2016 | 2:22:53 PM
Re: Encryption benefits
@TerryB, you raise a great point, and it's something we've addressed in previous stories. This report didn't go into that aspect, and obviously not all data must be encrypted. Access to encrypted data can be a challenge with some security tools unable to do their work with if the network flows are encrypted.

Here's a Q&A we did with the Internet Architecture Board's chair on the call for making encryption the new normal:

User Rank: Ninja
1/20/2016 | 1:50:58 PM
Encryption benefits
A good article from you (Dark Reading) would be to explain better how encryption helps in certain types of breaches. I get the lost laptop/hard drive scenario. But if hacked with legitimate credentials and accessing data thru the intended application under those credentials, how does it help? To be invisible to user experience, means encryption/decryption takes place along with translation from zeros/ones to UNICODE to ASCII/EBCDIC to readable data in whatever (human) language that platform is using. Accessed under legit credentials, how does it afford any more protection?

As an IT lead at a midsize company, with no public interface outside a two factor VPN tunnel, I see the risk in encryption. You have a key problem and your data is gone, unusable. So the decision becomes which is higher risk, being hacked in a way encryption would help or some tech screwup where your keys are messed up and data unusable?

I've yet to see an article that clearly spells out choosing between these two. Especially when your data isn't clearly monetizable by someone.
User Rank: Ninja
1/20/2016 | 7:18:40 AM
This is why it's so dangerous when politicians who have no idea what they are talking about rail against encryption. That's not going to encourage business heads to learn more about it or consider its usage of they're told in the news that hiding information is a terrible thing.

Everything should be encrypted if not being accessed by the creator of intended recipient. 
User Rank: Apprentice
1/20/2016 | 2:02:16 AM
I agree
Obviously it is. I agree with you.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.