Skip to footer
Passcode
Modern field guide to security and privacy

It’s 2016 and you aren’t using encryption. Why?

All breaches aren’t created equally. Encryption, not breach prevention, separates damaging hacks from annoying intrusions.

|
Carolyn Kaster/AP/File
  • By Jason Hart CTO Data Protection, Gemalto

Encryption sounds synonymous with complexity.

It's not. It's very, very simple.

There should be no reason why an organization shouldn't be encrypting its data in 2016. The technology is there. And the rationale for using it is simple: Breach prevention is dead.

Our 2015 Breach Level Index showed over 1,600 disclosed breaches worldwide. That lead to more than 700 million records being exposed.

To put it simply, blocking breaches isn’t working.

As we watch hackers hone in on data critical to our lives and our businesses, we need to develop a mindset that accepts attackers will find a way in — but that our critical data is protected so it doesn’t make its way out.

Where are hackers headed?

Attackers pursued and achieved more valuable and durable information in 2015, according to the same Breach Level Index. While bad guys pilfered less financial data, the main takeaway from the report was the focus on long-lasting information (think of your health records or massive, comprehensive government databases) that allows them to conduct other attacks.

Hackers, in short, understand that it’s way harder to change your Social Security Number than it is to cancel a credit card — and in some cases, such as with one’s medical history, that information can’t be altered at all.

Bad guys see the enduring value of this data. At a consumer level, if a hacker can capture key information on an individual, they can potentially attack not only that individual but the organization they work for and other organizations that the compromised person accesses online.

Compare that to what happens when a digital attacker steals your credit card information: if the credit card's compromised, it's comparatively extremely easy for that credit card to be rejected, stopped, and a new credit card issued.

Turning to corporations, you don’t need to think data science is the sexiest job of the 21st century to see how companies are putting data at the heart of their business decision making like never before.

So where will clever digital attackers go? At the integrity of the most vital business data.

If a key driver of whether a company manufactures more or less widgets is its big data analytical approach, a nefarious digital intruder might just tweak the data, altering its integrity in a way that the organization would be unable, at first glance, to notice. Such attacks don’t need to steal a single bit of information to make a dent in a competitor.

The company, unaware of the faulty basis of their decision making, continues to drive its business ahead, making a slew of damaging decisions because of tampering with the original data. Companies could go months on broken assumptions and off-base approaches — making recovery from such an attack that much more painful to ameliorate, costly to the bottom line, and impactful on a company’s reputation.

What can stop these attacks?

To consider how hard it is to prevent an attacker from ever getting into your network, think about the hyper connectivity of the near future. Think about the Internet of Things.

Even one digitally-connected gadget has at least five different parties touching the data it generates: the manufacturer, the consumer, the cloud provider hosting that data, the smartphone maker on whose phone the consumer runs the app that controls the gadget, and at least (usually) one other gadget that digitally connects to our first IoT device.

And when our homes or our cars are chock full of connectivity, the number of connections is going to be a lot greater than five.

At any point in that transmission chain, a hacker could breach a faulty defense and start siphoning off our information. If any one part of that sprawling web of connectivity gets compromised, we have a problem.

It’s not hard to see why securing this intricate web of connections is an awe-inspiring task, even for the most sophisticated technologists. Now consider a massive enterprise with thousands of devices, a mobile workforce carrying those devices across the world, and digital attackers using increasingly sophisticated approaches to find even a small crack in our collective digital armor.

Which brings us to a crossroads. We can stick our heads in the sand believe that a breach isn’t going to happen to us because of our superior prevention or that our data isn’t valuable enough to matter.

Given the more than 1,600 breaches in 2015 worldwide, this seems, shall we say, unwise.

Alternatively, we can focus on protecting the asset that hackers are really after: data.

Which brings us back to not only encryption but a mindset that takes breaches as a given and focuses instead on protecting data.

Security leaders at organizations large and small need to admit that they are going to be breached — and then figure out what to do from there. What data is going to cause them massive reputational impact? What data, in the event its integrity is compromised, is going to kill my business?

By making that shift from considering more extravagant (and expensive) ways to keep bad guys out to protecting core assets once a diligent hacker eventually gets in, information security leaders will begin thinking in a totally different way. They’ll begin to evaluate risk better and apply core information security controls, encryption, key management, and authentication.

It sounds oxymoronic, but this type of approach leads to what we call a secure breach.

Even when the attacker breaks through, the locked box they find inside is way less useful than the sprawling flows of data they unlocked in the unencrypted past.

And yet while encryption is one of the most obvious strategies for preparing for a breach, only 48 of the data breaches in 2015 – less than 4 percent of all breaches – involved data that was encrypted to any degree.

We’ve got to accept the fact that breaches are going to happen. And to keep them secure, the answer is encryption.

Jason is vice president and chief technology officer for Gemalto’s data protection solutions. He is a former ethical hacker with 20 years’ experience in the information security industry. Follow him on Twitter at @Hart_Jason and download the full Breach Level Index here.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to It’s 2016 and you aren’t using encryption. Why?
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0413/It-s-2016-and-you-aren-t-using-encryption.-Why
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe