Skip to content
Naked Security Naked Security

Survey shows many businesses aren’t encrypting private employee data

Many companies aren't encrypting their own employees' private data, according to a Sophos survey of IT decision makers in six countries.

Although three-quarters of companies report they are now encrypting sensitive customer data such as payment information, many companies aren’t extending the same level of protection to their own employees’ private data.

Employee bank details are encrypted by 69% of companies that store that type of data, HR records are encrypted by only 57% that store them, and employee healthcare information is encrypted by just 53% of companies that store those records, according to a Sophos survey of 1700 IT decision-makers.

That’s despite the fact that 56% of companies identify protecting employee data as a factor in their decision to use encryption; protecting “proprietary company data” was the only response cited more by companies (63%) as a reason to encrypt sensitive data.

The disparity between the number of companies encrypting customer data and those encrypting employee data is alarming for a number of reasons, not least of which is that employees are a big target for cyberattacks against businesses.

Stolen employee data could be used in phishing and social engineering campaigns against both employees and their employers.

Another 60% of companies say they don’t encrypt all documents and files created by employees, even though 59% of companies say they always encrypt intellectual property and 70% say they always encrypt company financial information.

The comparatively low number of companies encrypting their employee data is a big concern, says Dan Schiappa, senior vice president and general manager of Enduser Security at Sophos:

Data breaches happen to large and small companies every day, and the last line of defense against that breach turning into a corporate crisis is a comprehensive data encryption policy. While it is the customer data breaches that hit the headlines, companies have the same obligation to protect sensitive employee data, and they should not overlook it.

Other findings

The Sophos survey of IT decision makers in six countries reveals that there are some misconceptions about encryption, and some disconnects between what companies say they are concerned about – and what they’re doing about it.

Although 84% of companies say they are concerned about data security in the cloud, only 39% say they encrypt all files stored in the cloud.

Another 47% say they encrypt some files stored in the cloud, while 11% say they don’t encrypt any files in the cloud but plan to.

Many organizations also fail to recognize that file-level encryption and full-disk encryption should be complementary technologies, and that an “either-or” strategy of file versus full-disk encryption leaves them vulnerable.

Just 36% of companies say they use both full-disk and file encryption, even though data encrypted on disk is no longer secure once it the data leaves the device.

The financial (41%) and telecom (50%) industries lead the way in using of both types of encryption.

The survey found that companies in the US are most likely to make “extensive use” of encryption – 54% of US respondents said they use encrypting extensively, versus 49% in Australia, 48% in Canada, 46% in India, 32% in Japan and just 26% in Malaysia.

Sophos also asked what reasons companies have for not encrypting data.

Of those organizations that do not make extensive use of encryption, 37% cite lack of budget, and 31% point to concerns about encryption’s impact on performance.

Also, 28% say lack of deployment knowledge, and 20% say lack of legal pressure explains why they don’t extensively use encryption.

All of these concerns have an element of myth – as Naked Security writer Paul Ducklin explained in an article about reasons to encrypt or not to encrypt, you can never have enough encryption.

To read the full survey report (no registration required), visit

Image of businessman reading documents courtesy of


Maybe I missed something but I am not sure that encryption is the be-all and end-all unless there is a unique password for the encryption on a per-file basis, and that that password is not held in a keychain with a lot of other passwords which are automatically unlocked for the user when the user logs in. If a system is hacked including such auto-decryption then most of the encryption systems in use are no help in preventing data theft. The best use of encryption is whole-disk encryption for devices that leave the office. For office systems that stay in the office then a much broader strategy is needed as it is much more likely to be hacked remotely than someone breaking in and stealing a disk to get to the data.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!