Ponemon Institute is pleased to present the findings of the 2022 Global Encryption Trends Study, sponsored by Entrust. We surveyed 6,264 individuals across multiple industry sectors in 17 countries/regions – Australia, Brazil, France, Germany, Hong Kong, Japan, Mexico, the Middle East (which is a combination of the respondents located in Saudi Arabia and the United Arab Emirates),2 Netherlands, the Russian Federation, Spain, Southeast Asia, South Korea, Sweden, Taiwan, the United Kingdom, and the United States.
The purpose of this research is to examine how the use of encryption has evolved over the past 17 years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for a U.S. sample of respondents. Since then we have expanded the scope of the research to include respondents in all regions of the world.
Organizations with an overall encryption strategy increased significantly since last year. Since 2016 the deployment of an overall encryption strategy has steadily increased. This year, 62% of respondents say their organizations have an overall encryption plan that is applied consistently across the entire enterprise, a significant increase from last year. Only 22% of respondents say they have a limited encryption plan or strategy that is applied to certain applications and data types, a significant decrease from last year. The average annual global budget for IT security is $24 million per organization. The countries with the highest average annual budgets are the U.S. ($41 million) and Germany ($28 million).
Following are findings from this year’s research
Enterprise-wide encryption strategies have continued to increase. Since conducting this study 17 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. In this year’s study, 61% of respondents rate the level of their senior leaders’ support for an enterprise-wide encryption strategy as significant or very significant.
Certain countries/regions have more mature encryption strategies. The prevalence of an enterprise encryption strategy varies among the countries/regions represented in this research. The highest prevalence of an enterprise encryption strategy is reported in the United States, the Netherlands, and Germany. Although respondents in the Russian Federation and Brazil report the lowest adoption of an enterprise encryption strategy, since last year it has increased significantly. The global average of adoption is 62% of organizations represented in this research.
Globally, the IT operations function is the most influential in framing the organization’s encryption strategy. However, in the United States the lines of business are more influential. IT operations are most influential in the Netherlands, Spain, France, Southeast Asia and the United Kingdom.
The use of encryption has increased in most industries. Results suggest a steady increase in most of the 13 industry sectors represented in this research. The most significant increases in extensive encryption usage occur in manufacturing, energy & utilities and the public sector
Employee mistakes continue to be the most significant threats to sensitive data. In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests.
Most organizations have suffered at least one data breach. Seventy-two percent of organizations report having experienced at least one data breach. Twenty-four percent say they have never experienced a breach and 5% are unsure.
The main driver for encryption is the protection of customers’ personal information.
Organizations are using encryption to protect customers’ personal information (53% of respondents), to protect information against specific, identified threats (50% of respondents), and the protection of enterprise intellectual property (48% of respondents)
A barrier to a successful encryption strategy is the inability to discover where sensitive data resides in the organization. Fifty-five percent of respondents say discovering where sensitive data resides in the organization is the number one challenge and 32% of respondents say budget constraints is a barrier. Thirty percent of all respondents cite initially deploying encryption technology as a significant challenge.
No single encryption technology dominates in organizations. Organizations have very diverse needs for encryption. In this year’s research, backup and archives, internet communications, databases, and internal networks are most likely to be deployed. For the fifth year, the study tracked the deployment of the encryption of Internet of Things (IoT) devices and platforms. Sixty-three percent of respondents say IoT platforms have been at least partially encrypted and 64% of respondents say encryption of IoT devices has been at least partially deployed.
Certain encryption features are considered more critical than others. According to the
consolidated findings, system performance and latency, management of keys, and enforcement
of policy are the three most important encryption features.
Intellectual property, employee/HR data, and financial records are most likely to be
encrypted. The least likely data type to be encrypted is health-related information and
non-financial information, which is a surprising result given the sensitivity of health information.