As unencrypted data becomes “negligence”, business leaders are taking encryption strategy away from IT

Business executives are increasingly recognising that unencrypted data represents a governance shortcoming tantamount to “negligence”, one Australian security innovator has warned as figures suggest that business unit leaders now have more influence over corporate encryption strategies than IT leaders.

That shift – noted in the Ponemon Institute-Thales Global Encryption Trends Study earlier this year – suggests a growing recognition amongst business leaders that data must be protected in a way that makes it unusable even if it is breached. This practice has been extremely rare to date – recent Breach Level Index statistics suggested just 4 percent of data breaches were considered “secure breaches” where stolen data was encrypted – but Kelly Taylor, country manager with Thales e-Security, believes the growing involvement of business leaders and dedicated chief data officers (CDOs) is changing that.

The Ponemon-Thales study found that 41 percent of companies now have a consistent encryption strategy, up from 37 percent a year earlier. Some 30 percent of respondents said line-of-business or general management were most influential on encryption strategy, compared to 29 percent who credited IT operations and just 16 percent who said the security team was responsible.

“The ownership and accountability for who has responsibility for protecting organisational data is shifting,” Taylor told CSO Australia. “I have observed quite a few organisations taking a more active interest in encryption and data protection – not just for compliance reasons, but also just for doing the right thing.”

Data discovery had proven to be a sticking point for many organisations that simply had not undergone the effort to inventory and prioritise their data, Taylor said. Those organisations not only did not know what data they needed to encrypt, but had no way of monitoring who was accessing it and whether it was in fact secure.

This was likely to create more problems as businesses put more and more of their data into cloud-based services – flipping the distribution of data and turning cloud-based repositories into targets of even more significant interest by malicious cybercriminals.

Many IT practitioners had moved to rely on cloud-based encryption capabilities, but this approach left lingering issues around control of encryption keys. It also creates an administrative burden if organisations want to move their encrypted data between clouds, since it must be bulk-unencrypted and re-encrypted in the new environment.

Organisations should be encrypting data before they move it to the cloud rather than relying on native encryption, Taylor said, although just 46 percent of respondents to the Ponemon-Thales study said they were doing so; 37 percent said they rely on the cloud provider to generate and manage encryption keys, and to perform the actual encryption.

This echoed the sentiments of Senetas chairman Francis Galbally, who told the company’s recent annual general meeting that growing innovation around enterprise encryption was giving companies more options – and more responsibilities – around the protection of their data.

Australia’s looming national data breach (NDB) scheme means “businesses will be required to report cyber incidents in a very public way,” Galbally said, noting that the higher compliance burden “will make board members accountable if data is hacked, stolen AND was not encrypted.”

“‘Why wasn’t it encrypted?’ will be asked more and more,” he said, warning that a failure to ensure data is encrypted “is, in my view, negligence and a breach of a director’s due to the company and shareholders he or she serves. It is only a matter of time before a court makes such a ruling.”

Some 48 percent of survey respondents reported operating their own encryption hardware security modules (HSMs), with 36 percent renting access to a cloud-based HSM.

A longtime Australian encryption stalwart, Senetas has been investing in development of integrated HSMs that span on-premises and cloud-based networks, as well as partnering with an optical networking company to embed Senetas technology into that company’s products.

This echoes growing trends towards embedding encryption as a data-management layer: IBM, for one, recently released a pervasive-encryption mainframe platform called Z.

“The needles have certainly moved,” Taylor said, “but there is a lot to be done – and not just from the compliance perspective, but around reputational risk should there be a data breach. Identify the most sensitive data in the organisation, and the data that is most at risk, and then start from there. You don’t need to boil the ocean; just start somewhere.”