Encryption is an underused technology that’s in the news — and on customers‘ minds, says a new global survey of 1,700 IT decision-makers from midsize businesses.

Channel-focused security provider Sophos queried companies with 100 to 2,000 employees, and Marty Ward, the company‘s VP of product marketing, told Channel Partners that Sophos’ partners will likely see big revenue growth over the next few years.

“Sixty-nine percent of survey respondents said, ‘we are investing heavily over the next two years in encryption — we want to address this gap,’” says Ward. “Channel partners need to know that [customers are] concerned about performance and complexity, but they want to invest, so they need someone to help them make it happen.”

The report, released Tuesday, includes insights for partners, including those serving the top verticals represented in the survey: information technology; retail distribution, logistics and transportation; manufacturing; and financial services, including insurance and banking.

One headline: Among U.S. respondents, just 62 percent take full advantage of encryption technology.

That’s no surprise to the 55,000 current and former patients of an Indianapolis oncology practice whose demographic and insurance information, Social Security numbers and clinical data were stored on unencrypted backup tapes stolen from a car in back in 2012. In September, the practice, Cancer Care Group, agreed to pay the federal government $750,000 to settle potential HIPAA violations.{ad}

Ward says that while such all-too-common incidents have spurred better protection of customer data, employee information – including sensitive HR and health-care records, as well as corporate financial and intellectual property – and data stored with …

{vpipagebreak}

… cloud service providers is often still at risk. Thirty percent of organizations surveyed don’t always encrypt their own corporate financial information, and 41 percent sometimes leave files containing valuable intellectual property in the clear. While 84 percent express concern about the safety of data in the cloud, few encrypt all files stored in these repositories.

“There’s such a huge opportunity,” says Ward. “Only 39 percent actually claim they are encrypting anything that goes to the cloud, so that is a wide-open gap.”

As to why data is left unencrypted, respondents cite budget, performance concerns and lack of deployment knowledge as the top three barriers.

“With limited budget, they have to decide whether to deploy endpoint and network security or encryption, and unfortunately, in their minds, encryption falls below those others,” says Ward.

For the channel, the opportunity is clear. All companies are vulnerable to breaches. Depending on state disclosure laws, whether stolen files are – or are not – encrypted, may be the difference between an internal problem and a very public and expensive PR nightmare.

Partners need to educate customers on current encryption options. For example, performance penalties are rare today, says Ward. Tokenization can enable data analysis while still protecting information. In some cases, resistance is due to worries over key management. The answer is a key recovery policy in which the customer has a backup decryption key that can be retrieved by one or more employees with authority over the encrypted data.

Recoverability of data is also one reason Sophos recommends a unified platform, even though many cloud services, devices and applications now have native encryption baked in. Ward says that given the heterogeneous nature of how computing is done now, businesses need a consistent strategy.

“If you rely on the cloud and apps and devices to do their own encryption, then those people are also in charge of the keys,” says Ward. “If you implement a system that protects data regardless of where it goes, you’re in charge of the keys.”

Sophos’ product strategy focuses on file encryption versus disk encryption, which makes sense given the reality that security must follow data no matter where it resides. According to the 2015 Verizon Data Breach Investigation Report, more than 700 million records were compromised in 2014. The pace is unlikely to slow, and encryption of sensitive data is among Verizon’s seven steps for security readiness.

“Encryption is really the last line of defense,” says Ward. “Even if you don’t have enough budget to have all the endpoint or network security that you want, if you have encryption, if your data gets stolen, at least no one will be able to read it or use it.”

Ward sees adoption increasing over just two or three years ago and says customers tend to want partners to manage encryption for them.

“Get out there now,” he says. “Prospects are still confused over performance and complexity issues, and that’s just because reputation lasts a long time.”

Follow executive editor @LornaGarey on Twitter.