The 2021 Ponemon Encryption Trends Study is here


Encryption, as a means of safeguarding data assets, has been growing in popularity over the last 15 years as organisations recognise the importance of a cyber-security strategy that protects sensitive data at the source of the asset.

Traditionally organisations have relied on securing their data assets within their enterprise infrastructures using perimeter information security controls and physical security controls to prevent access to Information Technology (IT) systems.

As cyber-attacks increase in sophistication, and the use of social engineering as a means of accessing enterprise IT systems increases, organisations are adopting application and data security controls, to augment traditional infrastructure security controls.

Encryption is at the very core of this multi-layered data protection approach and an encryption strategy that includes sensitive data regardless of where that data resides, is increasingly leading the cyber-security strategy for organisations.

The Ponemon Institute 2021 Global Encryption Trends Study (GETS) reports an exponential increase, year on year, in organisations adopting and implementing a defined encryption strategy. Since collecting and reporting data in 2006 Ponemon have seen a 35% increase in the strategic adoption of encryption as a viable data security control.

There are a couple of drivers responsible for this consistent increase in the adoption of encryption as a viable protection mechanism against cyber-attacks. None more so than the adoption of cloud, and the various cloud options such as storage, platforms, virtual systems and even software as a service applications. All these IT components provide a cost effective and flexible means of running IT systems and applications for organisations who are consistently challenged with reducing IT costs but also leveraging the advantages that digital innovation can bring to their business.

Traditional Enterprise Architecture

Traditional enterprise IT architectures are based on highly secure access-controlled data centres at their core. These centres are being replaced by hybrid multi-cloud architectures where data is distributed across physical storage arrays, physical datacentres and in a number of cases even across multiple geographic locations. Traditional perimeter security and system security controls alone cannot control data access and prevent data breaches.

Regulation and Compliance

Compliance mandates related to data privacy and regulation defining the requirement to disclose data breaches has raised the impact of a data loss considerably for companies that store and process sensitive data. Fines for GDPR violations, the General Data Protection Regulation that protects the right to data privacy for EU citizens, can reach US$24M or 4% of a companies’ annual turnover. More than US$300M in GDPR fines has been issued in the EU to date with many other jurisdictions implementing similar regulations and fines to companies who breach data privacy regulations.

“The GETS report cited ’employee mistakes’ as the most salient threat.”— Martin Schlatter

Barriers to adoption of an Encryption strategy

Unsurprisingly, one of the biggest barriers to adoption of encryption as a strategy is the ability for organisations to define what their sensitive data is and discover exactly where it resides. With the adoption of cloud resources and distributed IT architectures, organisations are finding it increasingly difficult to define exactly where data is stored and how that data moves across the organisation. According to the GETS findings, support for cloud deployments is one of the top 5 “must- have” features for an encryption solution.


Despite the dramatic increase in cyber-attacks respondents to the GETS report cited “employee mistakes” as the most salient threat to sensitive or confidential data, ahead of “process malfunctions” and “hackers”. Humans by nature are error-prone and despite algorithm driven systems, individual employees still access and process large volumes of data on a daily basis. Through an encryption strategy that incorporates encryption technology into business process, organisations have potential safeguards in place that ensure data isn’t shared or distributed to unintended recipients.

These trends are useful to understand when approaching security, look me up to get any further advice – Martin.