In this respect, I believe regulators have fallen short. In a world facing ongoing cyber threats, the standards for cybersecurity are set surprisingly low that their rules typically only recognize encryption of all stored data as a requirement. This is despite the fact that encryption—not firewalls, monitoring, identity management or multifactor authentication—is the purpose-built technology for protecting data against the strongest and most capable adversaries. Stronger regulations are needed to ensure encryption becomes a mandated standard, not just an optional recommendation.
Fortunately, companies need not wait until regulators realize their folly and can opt to do better today. Some companies already have. They approach data security as an exercise in risk mitigation rather than passing an audit. From this perspective, data encryption quickly becomes an obvious requirement for all their sensitive data as soon as it is ingested into a data store.
Another beneficial development is that encryption has become easier and faster to implement, including the ability to process encrypted data without exposure, a capability known as privacy-enhanced computation. While there will always be some overhead to adopting data encryption, many have found that the return on investment has shifted decisively in favor of encrypting all sensitive data due to its substantial security benefits.