28 Oct 2018
The introduction of new data protection legislation has helped focus the minds of many cyber-security professionals.
For instance, the first half of 2018 saw a surge in compliance-related projects as businesses across the world rushed to meet the May deadline for the GDPR.
But, is simply meeting the regulatory requirements enough? Should security-conscious organisations be relying on government to set the standard for data security, or should they look beyond compliance to implement best-practice?
Regulatory compliance is important. Especially for those organisations that lack a formal strategy. The problem with compliance purely for the sake of compliance, is that it can become a crutch for some businesses. Treating compliance as a tick box exercise – concentrating on what is required, rather than why – may be a little shortsighted.
What we’re really talking about here is risk management. A clearly defined cyber-security strategy (one that includes elements of people, process and technology) can help insure your business against the potential impact of a data breach.
In its H1 2018 Breach Level Index Report, Gemalto recognizes the impact of legislation and the renewed focus on privacy and data protection. Despite this, it also reveals that more data than ever was compromised in the first half of this year. The numbers are staggering, with more than 18.5 million records lost or stolen every day!
A comprehensive cyber-security strategy needs to include elements of both prevention and protection. What many stakeholders fail to recognize is that prevention methods alone do not work. Like death and taxes, data breaches are inevitable. When they occur, you want to make sure the data itself is protected.
The Breach Landscape
Malicious outsiders were responsible for more than half of all breaches in the first half of 2018. Worryingly, over a third of all breaches were still the result of accidental loss – resulting from human error or misconfiguration of services. In these instances, data encryption can ensure the lost records do not result in substantial harm, either to the data subjects or the organisations that lost the data.
Mandatory notifications are an important part of new regulations, from the EU’s GDPR to Australia’s Notifiable Data Breach scheme. Organisations are required to notify affected parties and regulatory authorities of qualifying breaches within 72 hours of discovery. The trouble is, when it takes an average of six months for breaches to become identified, the damage is already done.
The consequences of a breach have moved beyond a little embarrassment and a regulatory slap on the wrist. For negligent or repeat offenders, you could be looking at significant financial penalties, irreparable damage to brand reputation, or even criminal charges for senior executives.
The Role of Encryption
Encryption is a powerful tool in this regard. Much of the new legislation makes provision for the use of encryption, without mandating it; stating that if suitably robust encryption is in place, there is no burden of disclosure. Given the stakes it is surprising, so few breaches involve encrypted data. According the Breach Level Index, just 2.2% of records compromised this year were encrypted. This is another instance of doing the bear minimum to meet compliance obligations.
“Encrypt everything” may not be a practical approach for everyone. So, it’s important for businesses to understand what constitutes sensitive data and to prioritize its security and integrity. One simple method for assessing data sensitivity is whether it passes the “headline test”. IE: if the compromised data were to appear in tomorrow’s newspaper, would it cause harm? If the answer is yes, it should be protected; both at rest and in motion.
Security-aware organisations across the world are going beyond compliance, using end-to-end encryption technologies to secure everything from financial transactions to real-time video surveillance, intellectual property to critical national infrastructure.