Why data encryption may save your enterprise

We live in a frightening world. When it comes to your online security it’s important to recognize how fragile your defences are. Firewalls and other forms of perimeter protection will be breached and your data will be at risk once they fall.

“While the number of data breaches fluctuates, it's still clear that breaches are not a matter of 'if' but 'when’,” warns Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto, announcing Gemalto’s Breach Level Index.

The Index is a global database of data breaches ranked by order of severity by a range of factors, including the quantity and quality of data stolen in the attacks.

At present, most digital infrastructure relies far too much on traditional perimeter defenses such as anti-virus, firewalls or spam filters.

Gemalto believes enterprises should deploy routine data encryption to protect themselves. The fundamental theory seems sound: if perimeter defenses are the front door, then strong encryption is the safety deposit box.

The nature of the threats we face are mutating fast, meaning hackers have an easy time getting through what appear to be increasingly flimsy defenses.

However, once hackers get inside these networks the level of encryption used to add protection to this data remains small, growing from just 1 percent this time last year to a still tiny 4 percent this year.

Gemalto says 888 data breaches occurred in the first half of 2015, compromising 246 million records worldwide. The four biggest attacks this year include:

·        Anthem Insurance: 79 million personal records exposed

·        US Office of Personnel Management: 21 million records exposed

·        Turkey's General Directorate of Population and Citizenship Affairs, 50 million records breached

·        Topface, Russia, 20 million records exposed.

Identity theft remains the biggest motivation for attacks, accounting for 75% of all records compromised, leaving those people whose data has been stolen exposed to incalculable consequences.

Hart urges organizations to adopt a “data-centric view of digital threats starting with better identity and access control techniques including multi-factor authentication and strong encryption to render sensitive information useless to thieves."

The range of tools used by modern cybercriminals continues to expand. In order to respond to this constantly transforming threat environment, organizations should deploy a range of measures, including use of data encryption. Forrester’s Kill Your Data to Protect It From Cybercriminals, report predicts “organizations will encrypt data — both in motion and at rest — by default.”

The argument is that by “encrypting, and thereby devaluing, sensitive data, organizations can make cybercriminals bypass their networks and look for less robustly protected targets,” Gemalto explains. (Analogously it’s the same as any other form of burglary – thieves breaking through the front door won’t call again if all your possessions are locked down).

Encryption also has a part to play when locking down business assets on the mobile device. “The most common cause of a security breach involving a mobile device is the loss or theft of the device. The employer can typically mitigate the risk of a security breach in those circumstances by confirming that the device is encrypted and password protected, and by remotely wiping the device promptly after receiving the report of the device’s loss or theft,” Lexology argues.

There are several different ways to apply data encryption, those that make sense depend on if data is stored (known as “Data at rest”) or if it is travelling across the network (dubbed: “Data in motion”.):

At rest, data can be encrypted:

·        At application level

·        In the file or operating system

·        In the device driver or network interface

·        On the network

·        On the storage controller

·        On storage device.

Data in motion can also be encrypted in multiple ways:

·        Secure socket/transport layer security

·        WiFi protected access

·        Virtual private networks, and

·        Internet Protocol Security (also known as IPsec).

Any or all of these may offer relevant protection to your organization.

It is unfortunate some governments are arguing against data encryption. From online payments to credit card processing, such protection is essential to many daily tasks, and in the face of the changing security environment, encryption will become a strategic necessity for CIOs attempting to lock down security protection.

"There are lots of different ways to secure data besides encryption, but there is pretty much a consensus inside the security community that encryption is a fundamental and critical way to protect users data from the very thieves, identity theft cases, [and] privacy intrusions that law enforcement is interested in investigating,” argues Google’s director of law enforcement and information security, Richard Salgado.

"We are working towards more encryption on our products and our services as part of a larger plan to make sure the data services we provide to our users are secure and that users can use our services knowing that the information they entrust to us is safe,” he said.

This move to embrace data encryption isn’t just essential to big online service providers like Google, but to enterprises in every walk of life. After all, identity fraudsters stole $16 billion from 12.7 million US consumers in 2014 alone – with cash like this to be made, cybercriminals will do all they can to get hold of your data. It’s possible data encryption will become a social responsibility.

Find out how Orange Business can help improve your enterprise security here, and explore some of the current security threat trends in this report.

Stewart Baines
Stewart Baines

I've been writing about technology for nearly 20 years, including editing industry magazines Connect and Communications International. In 2002 I co-founded Futurity Media with Anthony Plewes. My focus in Futurity Media is in emerging technologies, social media and future gazing. As a graduate of philosophy & science, I have studied futurology & foresight to the post-grad level.