Encryption is the first line of defense when securing data in the cloud, but many companies don’t make use of it.

A new study on encryption trends found 56 percent of organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism. And another 28 percent expect to do so in the next one to two years.

Yet almost 40 percent of data at rest in the cloud is unprotected.

The findings in Ponemon Institute’s 2016 Global Encryption and Key Management Trends Study, commissioned by Thales e-Security and Vormetric Data Security, indicate that for many companies, the benefits of cloud computing outweigh the risks associated with transferring sensitive data to the cloud, said Larry Ponemon, founder and chairman of the Ponemon Institute.

It is risky behavior, but Ponemon said organizations recognize the danger and have been increasing their adoption of encryption technologies. The number of organizations that have an enterprise-wide encryption strategy has risen to 37 percent. The number has steadily increased over the past 10 years. And the use of encryption technologies has risen to 41%.

Looking specifically at encryption for public cloud services, the number of companies using it is still small—only 25 percent of the respondents have extensively deployed encryption technologies for public cloud services—but it, too, has shown year-over-year growth, Ponemon said.

“Over time, as a category, cloud encryption will grow in importance. And some of the more standard types of encryption, like database encryption, will become less prevalent because more companies will be dealing with the cloud rather than an on-premises database,” he said.

Driving the use of encryption

Two things are driving companies to adopt encryption, Ponemon said: compliance and the threat of a data breach.

Sixty-one percent of respondents say compliance with privacy and data security requirements is driving adoption of extensive encryption use within their company, and 51 percent say protecting enterprise intellectual property is the main driver.

“It’s obvious to most companies that all companies are susceptible to a data breach. By encrypting, you’re not saying there won’t be a data breach, but you’re minimizing harm to your customer, your employees—whoever’s data is at risk,” Ponemon said.

Companies are saying even if encryption costs money and creates a little a little bit of degradation in their IT processes, it’s worth doing because they don’t want to be the next company that loses data, he said.

Interestingly, budgets for encryption have decreased while the use of encryption technologies has increased. Ponemon attributes this to competitive pressure among encryption solution providers.

“A lot of organizations are realizing there are different ways to encrypt, so there’s price pressure. And companies are saying, ‘If we can get the same quality of encryption for less money, we’re going to do it.’ There are quite a number of competitors in this space,” he said.

Also, public cloud service providers, increasingly offer security and encryption as part of their services.

“Now, a lot of cloud providers—especially the big guys—are providing a really secure product,” Ponemon said. “More and more of these companies that say if you buy their services, they will include tools like encryption, databases, SSL encryption and all of these wonderful tools. So, there are different ways of encrypting data in the cloud that can be cost savings for a company.”