Employee data often isn't encrypted as well as customer data, report says

Workers are out on a limb when it comes to data theft, says a report.

Study companies don't encrypt employee data
Current Job Listings

Employee bank records are among the sensitive details that companies are failing to protect adequately through encryption, a recent study has uncovered.

While enterprises now take customer data protection seriously, in many cases they're ignoring their workers' needs for security, according to encryption product vendor Sophos.

Not always doing it

Sophos says that it found almost half (47%) of the companies it surveyed had owned-up to not always encrypting employee healthcare information when it stored that data.

And close to that number (43%) failed to always encrypt workers' Human Resources employee files.

Many (31%) came clean on not always encrypting bank details, the security vendor said in a press release about its report.

Sophos polled 1,700 "IT decision-makers" in multiple countries and sectors about their encryption habits.

Records getting stolen is a significant problem, Sophos thinks.

In 2014, 700 million records were compromised, according to Verizon's 2015 Data Breach Investigations Report. Sophos quotes Verizon's statistic in its blog.

Out of sight, out of mind

Sophos thinks that one of the main problems is that the customer data breaches have been getting more publicity than employee data hacks.

"While customer data breaches are the ones that get the biggest headlines, companies have an obligation, and may be legally required, to protect sensitive employee data," the security company says.

"This is an area of data security that is far too often overlooked," it adds.

Governments not encrypting

Notably, data in the famous hack of the Office of Personnel Management that leaked 4 million federal employee records in 2015 was not encrypted, according to multiple reports. Encryption had reportedly been recommended after an earlier attack, but it was never put into place.

"You failed. You failed utterly and totally," Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, told the managers at the time, according to the Los Angeles Times.


An issue Sophos raises (unrelated to the aforementioned federal hacks) is that organizations don't understand the different kinds of encryption, Sophos says. They get it wrong.

"Full-disk and file encryption are not and should not be mutually exclusive," the vendor says.

Full-disk encrypts devices and drives, but "doesn't protect the data once it leaves the device," Sophos explains. You need to use file-level encryption for that.

That kind of scrambling protects the data always, even when it's being moved around.

"Only 36% of companies said they use both full-disk and file encryption," Sophos says it found in its study.


As one might expect, cloud-security awareness is "one area driving increased adoption of encryption," the vendor says.

"While 80% are using the cloud for storage, only 39% encrypt all files stored in the cloud," Sophos says. Why? Reliance on the cloud vendor for security, maybe?

I wrote about a report suggesting cloud documents were wide open to theft earlier this week. That report found enterprise cloud documents via Google searches. It was one example of the lax security practices it found.

And if you think that these companies might be picking on the employees with this apparent lack of sensitive document handling?

Not so. The Sophos report found that 41% of companies "inconsistently" encrypted their own intellectual property, too.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT