This spring, data breaches picked up right where they left off in 2020, with recent incidents at a dating website and various healthcare data breaches grabbing headlines. In response to these attacks, enterprises are turning to encryption to keep data secure, whether it’s at rest, in transit or in use – and it looks like most companies have significant plans in the next 12 months to address concerns around the vulnerability of sensitive data at the application layer.
This latter insight comes from some research we conducted with Prime Factors to get a better sense of how enterprises are managing their data protection strategies and how they perceive data at risk.
However, the survey of 600 IT professionals from the US and UK also found a lot of confusion around how application-level data protection is implemented, which can result in multiple hidden security risks. Enterprises that fail to properly protect data at the application level risk data breaches that can cost millions of dollars and major brand damage among those affected, including customers and employees.
Here are three broad survey themes that spotlight organizations’ main areas of focus in data protection and some growing concerns that will need to be addressed:
Many companies are not addressing data protection in the applications they control
Overall, the survey found that companies are banking on data-at-rest encryption techniques for applications they control. This is troublesome because these methods do not address protection of data-in-use. However, most respondents indicated they’re also focused on protecting data beyond just when it’s at rest. In fact, 85% of IT professionals said they were concerned about unprotected data at the application layer. Despite those concerns, only a quarter (24%) are implementing techniques that protect data in applications they control — an area that can be easily exploited by bad actors when not properly protected.
Nearly all IT pros plan to add application-level data protection functions in the next 12 months
Although organizations appear to be lacking in the protection of self-controlled application data, they do have significant plans to address application-layer protection in the short term. Ninety-six percent of respondents said they plan to add application-level data protection in the next 12 months, noting encryption, data masking, security audit logging and tokenization as go-to solutions. But respondents also indicated concerns around the difficult implementation of these data protection methods. In fact, when respondents were asked to list their top three challenges out of seven answer options, no one single challenge was identified by a majority of respondents. This indicates each company has its own unique deployment challenges in the area of data protection.
Organizations are challenged by cryptographic key management
The top ranked challenge for implementing application-level data protection was connected to cryptographic key management — the majority of respondents said the secure generation and storage of cryptographic keys was the most difficult aspect. To help meet this challenge, 98% of IT professionals said they’re leveraging Hardware Security Modules (HSMs) to bolster application encryption.
If you want to take a deeper dive into the trends on data protection and application-level encryption, check out our summary of the survey findings and you can sign up to our joint webinar with Prime Factors on Wednesday 9 June.