To make headlines today, a data breach needs to be truly extraordinary. Thefts of account numbers, medical files and other forms of sensitive information have become so routine that the loss of a hundred thousand records here or there is hardly enough to draw the spotlight. Only events that are unprecedented in some fashion, like the Yahoo breach that exposed the personal information of a billion people, or the Tesco Bank breach, in which money was stolen directly from customers' bank accounts, manage to break through the monotony and earn the public's attention.
Although they rarely show up on the front page, data breaches continue to happen every day, and the damage they inflict is staggering. Lawsuits, loss of consumer confidence, and regulatory penalties—which will become significantly higher once the GDPR takes effect in 2018—can haunt a company for years after a security failure. The damage doesn't end there. A recent study of cyber-security attacks in the UK showed that companies' share prices tend to fall by nearly two percent in the aftermath of a data breach, costing investors tens of billions in lost value.
It doesn't have to be this way. Despite the proliferation of cyber-threats around the globe, businesses can protect themselves and their investors from the negative consequences of data breaches. The solution is not to pile on additional layers of security in hopes of keeping thieves and spies out, but to encrypt sensitive data so that it cannot be used or exploited even in the event that it is stolen.
A new mindset
No one will ever suggest that network and device security is a waste of time. Every organisation needs to maintain strict control over who can access its data and how the data can be used. However, most information security managers and data protection officers would agree that there is no such thing as perfect protection, and that no amount of access control can guarantee the safety of a network.To develop an effective long-term cyber-security strategy, businesses must operate under the assumption that sooner or later their data will be stolen.
Once that point is acknowledged, organisations have two choices: continue with business as usual and hope for the best, or protect their data in a way that will make it useless to the hackers who eventually steal it. Strong encryption does just that, making it impossible for anyone—no matter how sophisticated they may be or how much computing power they may have at their disposal—to access the data without the decryption key.
A new definition of security
Once a company has encrypted its data, a security breach becomes a matter for routine IT follow-up, rather than an organisation-wide nightmare. Customers will never be able blame the company for letting hackers steal their credit card numbers or personal details, and board members will never be forced to field questions from shareholders about their failure to protect the company's information and reputation. Even regulatory compliance becomes simpler. For example, organisations who use strong encryption will be exempted from the GDPR requirement to inform EU citizens when their personal information is compromised in a data breach.
In the years to come, network and device protection strategies will fall further behind the rapidly evolving techniques used by data thieves and other hackers. Many more companies will learn the hard way that unencrypted data is never truly safe from theft, misuse or accidental exposure. Eventually, however, end-to-end strong encryption is likely to become the standard for enterprise data protection. When that day arrives, data breaches will be absent from the headlines because they will no longer be newsworthy at all.
Contributed by Matt Little, chief product officer, PKWARE
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.