Even though 2015 saw more data breaches than ever before, with cybercrime as the biggest cause of many of those breaches, the truth behind that statement is actually more complex. The growth of mobile device usage, and the use of the cloud, have expanded the attack surface exponentially, introducing more ways for cybercriminals to find a way back to the network. Right now, as many as 36% of cyber security incidents can be tied back to attacks on mobile devices.
Cyber attacks, however, are often the product of mistakes. People click on phishing links, install apps with insecurities, use insecure passwords or use public WiFi – this is how ‘people’ can be the cause of so many cyber attacks, and why mobile devices only amplify this ‘people’ risk.
Current industry standards, and even industry regulations such as HIPAA, have minimum requirements that organizations must take in order to protect data on the endpoint. In many cases, the existence of encryption on the endpoint will allow an organization to avoid the need to report a data breach, making it seem like the ‘gold standard’ in data protection. The truth is, encryption is good, but it’s not good enough – and, still worse, it’s not even being used well-enough.
In The State of Encryption Today, Sophos interviewed 1700 IT managers and found that only 44% of organizations are making extensive use of encryption, with another 43% using encryption to some degree. As Sophos notes, the sheer existence of the more than 169 million records exposed in 2015 shows how much data remains unencrypted. In fact, digging deeper, quite a lot of data remains unprotected. Customer data was only encrypted in 24% of cases, and customer payment details in 25%, and encryption is most prevalent on PCs (66%) and laptops (60%), yet nearly absent from mobile devices (29%) and the cloud (39%).
It’s clear that encryption practices, where they do exist, have not kept pace with how employees work today. Though fallible, encryption is still a key layer in data protection. At Absolute, we believe in layered defences, so that if one layer is breached (externally or by mistake), another layer is there to pick up the slack. For example, with Absolute DDS, you can remotely recover or delete data, with policies to ensure data is automatically protected in risky situations, predefined by you. So, if encryption is turned off, a device can be automatically locked.