Despite being an effective tool for safeguarding sensitive information, encryption remains underutilized by many organizations, leaving them vulnerable to cyber threats.
Many companies still rely on perimeter security measures, viewing encryption as optional rather than essential. Misconceptions about the complexity and cost of encryption further hinder its adoption, leading to a reactive approach that often waits for a data breach before taking action.
We spoke with Ameesh Divatia, CEO of Baffle, to explore the reasons behind the slow adoption of encryption, the potential impact of stronger regulations, and practical steps organizations can take to enhance their data security strategies in an increasingly perilous digital landscape.
BN: Why is encryption still not widely used by many companies, despite its effectiveness in protecting data?
AD: This is one of the more surprising aspects of today’s data security landscape. Encryption has been accessible for decades and has proven to be incredibly effective at protecting sensitive information from unauthorized access. Yet, many organizations still lag in adopting it as a standard practice. One of the main reasons is that many organizations continue to rely heavily on perimeter security measures, such as firewalls, intrusion detection systems, and multi-factor authentication. These are seen as easier, more familiar options, especially when it comes to passing compliance checks. However, perimeter defenses alone are insufficient when considering the types of sophisticated threats we face today.
There’s also a misconception that encryption is too sophisticated or expensive to integrate across the enterprise. While this may have been the case years ago, today’s encryption solutions are far more user-friendly and scalable. Organizations also underestimate the actual risk and impact of a data breach. Instead of taking a proactive approach, they often wait until they experience a cyberattack before investing in comprehensive data security and encryption strategies. This reactive mindset is the real reason why encryption hasn’t been widely adopted.
BN: How could stronger regulations influence companies to adopt encryption more widely?
AD: Stronger regulations would absolutely make a difference. Right now, regulators haven’t caught up to the reality of modern cyber warfare. While some industries have specific compliance requirements for certain data types, encryption is often viewed as optional, labeled a ‘best practice’ rather than a necessity. If regulators required encryption across all sensitive data, we’d likely see a massive shift in how companies approach security.
Just as the Federal Reserve requires banks to store money in vaults, regulators could potentially set similar and clear standards for data encryption. If the rules made encryption a non-negotiable requirement, companies would be forced to prioritize it.
In this respect, regulators have failed, especially given the level of cyber risk we face today. The cost of data breaches is staggering — more than six billion data records have already been breached this year alone. And most of that cost will ultimately fall on consumers, not the companies responsible for protecting that data.
Clearer and stricter regulations would force companies to implement protection of private data commensurate with their value rather than get by with weaker security controls that will ultimately result in the public bearing the cost of data breaches. By requiring encryption, we’d not only see improved data security across industries but also a more serious commitment to holding companies accountable for protecting the sensitive information they collect.
BN: What practical steps can companies take to start using encryption effectively in their data security strategies?
AD: Companies that want to be proactive about encryption can shift their mindset from simply passing audits to treating data security as risk mitigation. When one views encryption through the lens of mitigating the risk of breaches, it becomes an obvious requirement for protecting sensitive information. Companies should conduct a thorough data audit to identify what needs to be encrypted, typically including personal customer data, financial records, intellectual property, and other high-risk information.
The good news is that encryption has become much easier and faster to implement. Modern encryption tools are more user-friendly and efficient, reducing the overhead previously associated with encryption. Companies no longer have to worry about major slowdowns or complexities when encrypting their data. The return on investment for encryption is clear: the security benefits far outweigh any potential drawbacks.
Of course, encryption isn’t the cure all for cyber attacks, but it’s the tool specifically designed to protect the privacy of data against even the most sophisticated cyber threats, making it essential for any company looking to secure its sensitive data.
BN: Looking ahead, how do you see encryption evolving in the face of new data security threats? What should companies be doing now to stay ahead?
AD: Encryption plays a crucial role in any comprehensive cybersecurity strategy, particularly given the scale and sophistication of modern threats. We’re storing more sensitive data than ever, and adversaries are constantly refining their methods to breach that data. While firewalls, monitoring, and multi-factor authentication are vital for securing the perimeter, encryption adds an essential layer of protection to the data itself. Even if an attacker penetrates other defenses, encryption ensures that the data remains inaccessible without the proper keys.
While many companies have historically viewed encryption as complex or burdensome, modern tools have made implementation much easier and more efficient. Organizations that take a proactive approach to data security by fully integrating encryption into their processes are much better positioned to protect sensitive information in today’s evolving threat landscape.
Image credit: welcomia/depositphotos.com
