Encryption Expands, but Adoption Gaps Raise Concern

Cybersecurity   Information Security    | April 14, 2020

Global information technology leaders tend to focus too much on senior executives at the expense of other business areas raising concern and vulnerability.

A strong majority of IT leaders are deeply concerned with security and have adopted some level of protections for data being sent through email, a study by industry encryption leader Echoworx has found. However, a distressing 13% of the largest firms [with more than 10,000 employees] were not encrypting their sensitive communications despite the steady rise in attempted security intrusions.

“Cyber criminals, hackers, agents of industrial and government espionage all see unprotected email as an easy target,” said Echoworx Director Market Intelligence, Jacob Ginsberg. “In the first half of last year over 4.1 billion records were compromised as a result of security breaches, with a stunning 70% of those breaches being email related.”

Protection efforts are unevenly focused

In collaboration with Pulse, an online research hub for chief information officers, Echoworx surveyed 100 Chief Information and Chief Technology Officers (CIOs, CTOs) from North America, Europe, the Middle East and Africa.

As a pioneer in email data protection, Echoworx has researched attitudes toward protecting information and files sent using email for two decades. As early as 2004, it found that while 68% of IT executives had concerns about email privacy, fewer than half had developed a strategy using encryption to protect it. By 2016, 63% of firms had developed a strategy. The 2020 study found that 83% have now done so.

The rise in those top-line numbers has been encouraging but further questioning exposed protection efforts are unevenly focused. The tendency to limit encryption to the top of the corporate pyramid, was noted, leaving vulnerabilities to data and files communicated through email in key areas including HR and payroll, product development, finance and more.

Asked how they were prioritizing the use of encryption, IT leaders said they had prioritized high-level internal messages (26%) followed by sensitive third-party data (24%), protected/regulated data such as medical or credit info (16%) and then intellectual property (10%). But when asked where they were prioritizing the access to encryption, IT leaders see Security, IT, and Engineering departments as being most in need of protection.

However, sensitive data and are shared through an entire firm and with third parties, by practically all business lines and departments in emails. The more limited email data protection and security are throughout an enterprise, the more at risk the company is for email breaches. That calls for a more collaborative and holistic approach, where the protection of data is available for all employees who may handle sensitive data.

…when adopting a ‘zero trust’ strategy – for all messages both internal and external – you have to extend protections throughout an organization … to everyone. – Director Market Intelligence, Jacob Ginsberg

Encryption reserved to select few

That’s currently not happening. Respondents said technology solutions for email data protection were often directed toward the top tiers of an enterprise, even though the measures could benefit whole companies. In most firms, respondents said using encryption to protect email was reserved for the “leadership”, “senior executives” and that it was “based on hierarchy.”

“IT leaders tell us they need to change the mindset, that enterprises need to take a more collaborative approach to address the gaps in email data encryption strategies,” said Jacob Ginsberg. “It’s essential to protect top executives’ communications, but when adopting a ‘zero trust’ strategy – for all messages both internal and external – you have to extend protections throughout an organization … to everyone.”

When building a zero-trust security environment, those who make purchasing decisions should evaluate the all network communication taking place in an enterprise, Ginsberg said. But among respondents, 59% said they had dedicated teams that study email security purchases, 31% said such decisions were made based on cross-department consultations, and a surprising 9% said that decisions were made solely by top executives.

Whose making purchasing decisions? A surprising 9% said decisions are made solely by top executives

Procurement missing the mark on zero-trust security

And even when procurement is a team decision, further questioning found it is often by one that doesn’t reflect the businesses diverse activities: 54% of respondents said the purchasing team were from a single department, while only 46% said purchasing team members included several departments.

“When protecting a company’s assets, most in the industry agree that more needs to be done to improve email security,” said Jacob Ginsberg. “Yet, this study shows that more needs to be done to ensure that email security technology decisions are balanced between the requirements of the whole business and the requirements of the security team.”

For the full insights, Echoworx has produced a one-minute white paper on the survey, asking CIOs how they think their encryption strategies stand up against today’s digital reality.