We're often told that one of the best protections we can have for our data is to use end-to-end encryption when data is at rest and in-flight so, in the event data is lost either accidentally or though a malicious act, the potential damage is minimised. But a recent study of 331 individuals conducted by the pinion Institute and sponsored by Thales - who has a big business in encryption - says just 32% of Australians have an enterprise-wide encryption policy.
It's easy to look at the results of studies like this and point to incompetence or ignorance as to why encryption isn't more widely deployed. But I'll let you into a secret that few security vendors will rarely discuss; real end-to-end encryption is hard, particularly with legacy systems.
The US Office of Personnel Management breach in 2015 is a great example of how hard it is. If you want to watch a senior government official squirm, the hearings into this breach make for compelling viewing. Under some quite intense and, at times, aggressive, questioning, the OPM's director, Katherine Archuleta, had to defend why encryption wasn't used on the data held by the OPM which included security clearance and HR details for thousands of current and past federal government employees.
*Chairman Chaffetz. No, I want to know from you why the information wasn’t encrypted. This is personal, sensitive information; birth dates, Social Security numbers, background information, addresses. Why wasn’t it encrypted?
*Ms. Archuleta. Data information encryption is valuable —
*Chairman Chaffetz. Yeah, it is valuable. Why wasn’t it?
*Ms. Archuleta. — and is an industry best practice. In fact, our cybersecurity framework promotes encryption as a key protection method.
*Chairman Chaffetz. Why didn’t you —
*Ms. Archuleta. Accordingly, OPM does utilize encryption -
*Chairman Chaffetz. We didn’t ask you to come read statements. I want to know why you didn’t encrypt the information.
*Ms. Archuleta. An adversary possessing proper credentials can often decrypt data. It is not feasible to implement on networks that are too old. The limitations on encryptions are effectiveness is why OPM is taking other steps such as limiting administrator’s accounts and requiring multi-factor authentication.
*Chairman Chaffetz. Okay, well, it didn’t work, so you failed. Okay? You failed utterly and totally.
Some of the other findings by Thales/Ponemon are that 57% of Australians have strategies for encrypting specific data types but about one-in-eight have no data encryption strategy at all. There's also a shift in encryption strategy shifting away from IT and to business units as they become more savvy about the impacts of data loss.