Business usage of encryption to protect sensitive data, either in their own systems or in the cloud, continues to grow -- but only at a desperately slow pace.
Despite the omnipresent risk of deliberate or accidental security breaches, less than half of companies (41 percent) said they had an encryption strategy that's consistently applied across the organization, according to a survey. One in eight enterprises (15 percent) said they had no encryption strategy.
Compliance remains the top reason for having encryption in place, followed by a desire to protect intellectual property and to defend against "specific, identified threats". Protecting customers' personal information came fourth on the list of reasons, which may be little comfort to many considering that one in five UK companies was hit by some kind of cyberattack in the last 12 months.
Employee data is most likely to be encrypted, followed by payment-related data and financial records, according to the survey of 5,000 business users sponsored by security company Thales.
Databases, internet communications, and datacenter storage are the most likely to be deployed (89 percent, 85 percent, and 80 percent, respectively), but in contrast, encryption for big data repositories (53 percent), public cloud services (55 percent), and private cloud infrastructure (59 percent) have much lower usage rates.
Of those that do encrypt data at rest in the cloud, two-thirds either encrypt it before they send it to the cloud, or encrypt in the cloud using keys they generate and manage on premises. The other third turn over complete control of keys and encryption processes to cloud providers.
So why does usage of encryption remain so low?
Over half of respondents said that discovering where sensitive data resides in the organization is their most difficult challenge, while nearly half said that deploying encryption technology remains a "significant challenge". Third on the list was the difficulty of deciding what data should actually be encrypted.