Encryption: the reason I weep for the future of security
Norman Shaw looks at why encryption alone is not the answer to avoiding a data breach and outlines where he thinks companies should be focusing.
Norman Shaw, CEO, ExactTrak
According the latest IBM / Ponemon Cost of Data Breach report, the most popular preventive measure implemented after a data breach is the expanded use of encryption. Of course, it's easy to see why - encryption is a very easy and fast to deploy technology but there are significant problems with it.
Among the statistics that came out of the latest report from IBM and the Ponemon Institute, was the claim that the total average organisational cost of a data breach had increased by seven percent from £2.37 million in 2015 to £2.53 million in 2016. The cost has been steadily rising since 2012. Meanwhile, the 'expanded use of encryption' has been the most popular preventative measure implemented after a data breach for three years now. So encryption is being deployed after a breach but the volume and cost of breaches continues to rise; this correlation alone seems to suggest that encryption, as a view to avoiding or containing a data breach, is not a viable strategy but there are other reasons too.
One of the main problems with encryption is that it's often perceived as complicated or slowing down either devices or productivity and as a result, users often find ways to disable the encryption.
Encryption that requires passwords can also be problematic. The first problem is the difference between what an IT department considers a 'strong' password and what a regular user does. This is a catch 22. If the IT department insists on a full, strong, internet generated password, the user is likely to save that password either physically or electronically in an easy-to-find place, which somewhat defeats the purpose of this ultra-secure password. Colleagues also share them with other colleagues to allow them entry into restricted files rather than request additional passwords.
The second problem comes whether or not the IT department enforces strong passwords. This happens when users simply use the same passwords for everything, including their personal devices and accounts, which are rarely subject to much or any security, making it easier for hackers to find a way into the corporate data.
But even without the password issues and users trying to disable encryption, there are also real concerns about the robustness of the technology itself even when successfully deployed. Earlier this month, computer science researchers from Technion (The Israeli Institute of Technology) carried out attacks on several public-key encryption schemes. One of the 'attacks' resulted in the researcher being able to steal the encryption keys by monitoring the acoustics of the voltages and currents passing through the PC via vibrations. The researchers claimed that attackers could carry out such attacks by placing a mobile phone just 30cm away from the computer, or if they had a parabolic microphone, they could complete the attack from as much as 10 metres away.
Finally, the idea that encryption is generally the cheapest option also needs to be challenged. While it's true that the IT department can update encryption software remotely, because many encryption solutions work on a subscription or licence model, the true cost is not always as cheap as initially thought.
So if encryption really isn't what we should be looking at to secure our data, what should we be focusing on? Of course, you have to protect your organisation as much as possible against a data breach but I feel that the game has changed now to include avoiding data loss in the event of a breach.
There are technologies on the market that look at user or device behaviour and alert management when certain files are downloaded which gives management the opportunity to act quickly to curtail the loss. There are also technologies that won't allow access to data to users based on criteria such as their location (geo-fencing). And there are solutions, particularly for mobile data, that allow organisations to irrevocably delete the data remotely if it's outside a certain area or reported as lost or stolen which provides management with options to protect their data even in the event of a breach while also providing them with a verifiable audit trail which could help to avoid the huge fines that will come in with the EU GDPR in less than two years.
While encryption does make me weep for the future of security, I'm also heartened by the fact that 'training and awareness' is the second most popular preventive measure. I'm a huge believer that despite all the talk of cyber-attacks, it's ultimately people and human error that is the biggest cause of data loss so the fact that organisations are actively trying to educate their employees gives me hope that all might not be lost for the future of security just yet.
Contributed by Norman Shaw, CEO, ExactTrak