Apricorn has published findings from its annual survey into encryption policies, conducted among IT security decision makers in the UK. The survey revealed that almost half (46%) of organisations now require all data to be encrypted as standard, whether at rest or in transit – this is double the percentage from 2023 (23%) and marks a pivotal shift as more companies recognise the critical role of encryption in safeguarding sensitive information.
The findings also revealed a significant uptick in the adoption of encryption with organisations clearly taking steps to enhance their data protection strategies. A staggering [1]96% of organisations now enforce a policy that mandates encryption for all data held on removable media. This is in line with last year’s research which highlighted intentions to expand encryption usage, showing that those plans have now been followed through, particularly with hardware encryption and securing remote and mobile IT equipment.
Additionally, 44% said they only permit the use of hardware-encrypted, organisation-approved removable media, a significant increase from just 22% last year. This shows a growing reliance on hardware encryption to secure portable devices that are often exposed to greater risks of theft or loss. This is particularly notable given the increased need to manage and secure data in increasingly flexible working environments, where personal devices are becoming more integrated into corporate operations.
Commenting on the findings, Jon Fielding, Managing Director, EMEA Apricorn, stated: “These results demonstrate a clear shift in mindset, with organisations now following through on their plans to ramp up encryption efforts. The surge in hardware-encrypted devices, particularly for removable media and mobile devices, reflects a growing understanding that encryption is not just a best practice but a necessity in today’s threat landscape.”
Encryption across devices has also seen an expansion, with organisations ensuring data is protected on a range of different computing equipment. Over[2] 94% of IT security decision-makers reported that their organisation encrypts data on laptops and desktops, while 289% encrypt mobile phones, and 291% surveyed encrypt USB sticks. Furthermore, a majority are expanding encryption usage, with over a quarter planning to broaden their encryption coverage across all these devices.
“Given the rise in remote working and the ongoing risk of cyberattacks, it’s crucial for organisations to continue expanding their use of encryption across all devices and data in transit. Protecting data at every point of its lifecycle is essential to mitigate risks, especially as threats like ransomware continue to evolve,” commented Fielding.
Several factors have driven this increase in encryption implementation over the past year. The top five reasons cited by IT security decision-makers surveyed are: to better protect data (28%), to allow them to securely share files (18%), the rise in remote working (20%), to avoid regulatory fines (11%) and to protect lost or stolen devices (11%).
These reasons reflect both the evolving security landscape and the pressures of regulatory compliance, as well as the practical challenges posed by remote working and the need to share sensitive data securely.
Interestingly, there has been an improvement in understanding which data sets also need to be encrypted. Only 7% of organisations surveyed admitted they lacked clarity on which data sets require encryption, a notable improvement from 14% in 2023. This suggests that businesses are gaining better visibility over their data assets and how to protect them effectively.
This is a positive step, especially given that almost three-quarters of those surveyed [3](74%) also said that their organisation’s mobile/remote workers are willing to comply with security measures, but they don’t have the necessary skills or technology to keep data safe and 360% expect their mobile/remote workers to expose them to the risk of a data breach.
When questioned on the main causes of a data breach within their organisation, whilst phishing (34%) and ransomware (31%) topped the list, 22% cited a lack of encryption - an increase of 5% compared with 2023 findings.
Despite this, when asked what tools/strategies, they currently incorporate into employee usage policies to meet cyber insurance compliance, 74% said they encrypted storage at rest (35%) and on the move (39%), both of which ranked in the top five. This once again highlights the critical need for encryption to not only tackle cybersecurity threats and meet compliance demands, but to satisfy insurance criteria to enable the organisation to make a claim following a breach.
“As more businesses recognise that encryption plays an increasingly critical role in corporate cybersecurity strategies, the expanded adoption demonstrates that businesses are moving in the right direction to address emerging risks, though there is clearly still more to be done,” said Fielding.