Data breaches are a worldwide epidemic. Consider those that are most affected: two-thirds of Americans (198 million); half of Filipinos (55 million) and half of South Africans (30 million). This reflects a sorry state of security in information technology (IT). As an industry, we have failed to adequately secure people’s data. The supply chain, which accumulates everything from customer and supplier data to financial figures, can be a particularly tempting target.
Everyone is affected, and no-one is immune. Recent hacks have included:
- Corporates / large business (Accenture, TalkTalk, Verizon)
- Banks (Lloyds)
- Small and midsized enterprises (Forever 21, Panama and the Paradise Papers)
- Non-profits (the Red Cross Blood Bank)
- Political parties (RNC)
- Governments (South Africa, Philippines)
- Individuals (celebrities)
The variety of data breaches are similarly legion:
- Cloud leakage: Exposing data by mistake.
- Hacking: Exploiting technical vulnerabilities.
- Physical theft or loss: Including stolen laptops, lost backups, and dropped USB keys.
- Malware: Point of sale (POS) malware.
- Exfiltration: Insiders or employers leaking information.
In the flurry of examples, there are lessons to be learned about data mishaps. Leaks are often caused by poor data handling procedures on the part of organizations collecting data and by third-party contractors.
Encryption was not used to secure data in the examples above. If properly implemented, though, the technology could have prevented most types of breaches. Client-side encryption, for example, foils cloud leaks, hacking, credentials compromise and more. When securely integrated, client-side encryption could have prevented the malware from stealing data as well. More active hacking attacks can be slowed down when encryption is combined with pseudonymization and intelligent cryptographic key controls.
Client-side encryption substantially improves the security of data. At the same time, systems need to be engineered for security by design and default. IT administrators should integrate encryption into data handling processes for automatic security. All secondary copies of data (backups, archives, migrations, transfers) should be encrypted. Client-side encryption should be used for cloud data and local (on-premise) data.
Software developers should also integrate encryption into systems whereever possible. Sensitive information (e.g., biometrics, health, financial) should be encrypted and stored in encrypted storage, separate from the main database. Pseudonymization should be used to link the main database with encrypted storage.
Encryption is an excellent way to mitigate against data breaches. If encryption is so well studied and understood, why are there still data breaches? Often, in trying to implement encryption, organization encounter various problems: bogus products, placebo effect on security, and the expense and complexity of the technology.
There is a lot of confusion in the market around encryption products. The encryption market is faced with a three-fold issue: 1) there is a huge need to prevent data breaches; 2) the standards for encryption products are variable; and 3) there is variability of cost and ease of deployment in solutions, as well as complexity in delivering the capabilities. Let's examine a bit further down. There are three major industry issues. However, some tools skirt these issues. ScramFS, for example, is a general-purpose toolkit for encryption. It is lightweight, software based, and easy to deploy. Affordable for small and midsized enterprises (SMEs), it is trustworthy, and post-quantum secure.
Supply chain organizations need to think carefully about an encryption strategy, both to prevent data breaches and to address compliance issues. From a security standpoint, encryption prevents data breaches by sending a “no chance” message to potential hackers. Long-term security is needed against quantum computers.
Meanwhile, the European Union General Data Protection Regulation (GDPR), which will be enforced beginning in May 2018, requires that organizations provide data protection by design and default and encryption helps address many of the points in the regulations. Article 32 deals with personal data that must be secured to a level appropriate to the risk. And, Article 25 deals with the technical and organizational measures that should be implemented. GDPR compliance affects, not just big corporations, but also SMEs, non-profits, and governments.
In terms of best practices, organizations should encrypt data stored both locally (on-premise) and in the cloud. Encrypt data early, to ensure that all copies and backups of that data are already encrypted.