More than nine in ten Australians surveyed for Gemalto’s Data Security Confidence Index say organisations should be encrypting the data they hold, although fewer than one in 10 say they have a complete understanding of what encryption does.
According to the annual research report – the fifth published by the security firm – around a third (32 per cent) of the consumer respondents said encrypting customer data was ‘critically important’ with a similar number (30 per cent) saying it was ‘very important’.
Despite their desire for companies to encrypt their data, only nine per cent claimed to have a complete understanding of what encryption does. However, around half overall had at least some understanding.
The consumer element of the report is based on a survey of 10,500 consumers globally including 1000 in Australia.
When asked to pick the best definition of encryption from a list of options, globally more than half of respondents picked correctly. Some 17 per cent thought it related to the use of human features such as fingerprints or facial recognition to access data, 16 per cent thought it was a password rotation system and 13 per cent believed encryption to be the pin number prompt when making a payment online.
“While consumers feel that they have some knowledge about encryption, it’s clear that there is still plenty of room for education in this particular area,” the report stated.
“Not all organizations are encrypting their sensitive data types, but they should be for their security needs, as well as to meet consumer desires,” it added.
Overall, only half (52 per cent) of Australian consumers said they trusted businesses to store and manage their personal data.
IT decision makers – of which 1050 were surveyed, including 100 in Australia – were more confident in their own organisations ability to protect their personal data if they were a customer, with 93 per cent saying they trusted their employer.
Their faith may be misplaced however, with 45 per cent of Australian organisations reporting that their entire network can be accessed by unauthorised users.
Seven in 10 said they encrypted payment data, 67 per cent encrypted customer information and 60 per cent did so for employee records.
When asked what percentage of data in their organisations’ last breach was encrypted, 27 per cent said it was five to 10 per cent, and 36 per cent said it was between three and four per cent. Overall the average amount protected by encryption was 9.81 per cent.
Australian organisations need to comply with two major new regulations regarding data. The first is theEuropean Union’s General Data Protection Regulation (GDPR), which came into in May and applies to any Australian business that has European customers.
In February,Australia’s data breach notification regime took effect, obliging most major Australian businesses to notify their customers and the Office of the Australian Information Commissioner of serious data breaches.
Local organisations are not faring well in complying with these new laws. Just half (48 per cent) of Australian businesses currently have policies and procedures in place for how sensitive information should be protected in line with legislation, compared with 60 per cent globally.
“It’s time organisations got their houses in order; starting with who oversees their data security. A central figure such as a Data Protection Officer – essential in some circumstances under GDPR – must be appointed to the board to lead data security from the top down. Next is having more insight and analysis on the data collected to ensure that it is both correctly protected and enabling more informed business decision making,” said Gemalto CTO for Data Protection Jason Hart.
“Finally, a mindset change. Organisations must realise that it’s no longer a case of if, but when a breach occurs, and protect their most valuable asset – data – through encryption, two-factor authentication and key management, rather than solely focusing on perimeter protection.””
Notably, although Australian IT professionals were the most likely globally to believe unauthorised users can access their corporate networks in any way, they were also the most confident thattheir data would be secure once a hacker was on the inside.