European businesses are the worst in the world at encrypting data, despite the introduction of the EU’s General Data Protection Regulation (GDPR), according to experts.
Research by Thales and IDC released in May found that just 27% of European organisations used encryption for email. For other forms of encryption, such as data at rest on PCs, big data environments and internet of things (IoT) applications, encryption rates are even lower.
The only instance where encryption is higher in Europe than the rest of the world is in cloud native provider encryption. The survey findings come a year after all EU organisations introduced GDPR, which includes swingeing fines for data breaches – which could easily be mitigated if all affected data was encrypted.
While the research found that businesses had cleared the initial hurdle of GDPR compliance, using extra budget to stack their security inventory, the processes developed have been on a manual basis, with plenty of scope for improvement.
“In other words, data security and GDPR compliance are yet to become operationalised into business-as-usual,” reads the report.
Speaking at a roundtable event in London, Jason Hart, cyber security evangelist at Thales, said that compliance with GDPR alone will not solve the data security issues European businesses have, and that actually reducing security risks is what helps with compliance.
“If you look at every major breach that’s occurred, they say ‘oh, we had encryption’, but you didn’t implement it correctly because the actual key to unlock the encryption was in the same database,” he said.
Lack of understanding
Hart added that, while GDPR has brought out a lot more interest in encryption, organisations still lack an understanding of what data they are supposed to be protecting, something that has not changed for 25 years:
“We drive everything from a technical point of view, but ultimately the problem is that most organisations don’t know what they’re protecting, and if they do know what they’re protecting they don’t know the risks they’re actually mitigating.”
He explained that a major reason for this was the lack of visibility businesses have over their data assets, most of which are trapped in silos.
“It’s not being transitioned up into a dashboard which allows an organisation to understand and then make the appropriate business decisions,” he said.
Hart further stated that, because businesses are not looking at risks properly, they are also encrypting data in silos: “You encrypted the data in the database, but what talks to the database? It’s the application, so the data now transverses into the application’s code text and then from the application it goes into the cloud. So they do it in silos and elements, but when people do it wrong, there is a false sense of security.”
This sentiment was shared by Thales’ senior regional sales director, Kai Zobel, who added that some companies “have started to encrypt some islands within the organisation but then they struggle to continue.
“So we see thousands of potential servers which need to be encrypted, but they just do 200 and then say they are done.”
Businesses are too reactive
According to James Ware, security solutions architect at KT Secure, the lack of both visibility and well-organised data means businesses are too focused on putting out fires to adopt a more proactive approach.
“If we find a problem we’ll fix it, but it’s not about looking forwards,” he said.
“I think a lot of organisations have a massive security solution sprawl where they use random bits and pieces to plug holes as and when they find them. No one’s really thinking strategically so they can consolidate all these logs and events into a single dashboard to get some visibility of what’s actually going on.”
Cyber security audits were floated as an answer to the problem by Dr Robert Nowill, chairman of Cyber Security Challenge UK, who suggested that requiring mandatory audits at big companies would make board rooms take encryption much more seriously.
“Lots of things are audited but that isn’t,” he said. “Boards would have to wake up and have to take it seriously.”
Hart added that there is a precedent for this kind of regulation, something he knows from his work on an act that forced public companies in the UK to have a business continuity plan: “If you didn’t have a business continuity plan in place and they tested it, basically that was an audit failure.”
The roundtable consensus was that this kind of move would make companies adopt a more proactive cyber security approach and treat threat assessment as a continuous process rather than a one off issue that can be plugged with a technical solution.
In the long term, Nowill also added that cyber security education in the UK, which he descried as “appalling”, needs revamping if they do not want to be dealing with the same issues in another 25 years.
“The most commonly used passwords haven’t changed since I was talking about it for a laugh 20 years ago, it’s still 123456,” he said.
Nowill admitted that the tactic may not pay off for up to a decade, but that it is the best way to achieve the change required.