When it comes to data protection, crossing your fingers, closing your eyes and hoping for the best does not constitute an effective strategy.
It is frankly staggering that in 2018, so few organisations are encrypting their data; especially when most businesses are using public networks as a part of their core infrastructure.
Since Gemalto began its breach level index, back in 2013, over 9.2 billion data records have been lost or stolen. That’s the equivalent of 4.9 million records per day. It’s clear that the strategy of breach prevention alone is not working.
Last year (2017) organisations as diverse as Equifax in the US, the Department of Motor Vehicles in India, the National Health Service in the UK and the Election Committee in Hong Kong fell victim to high-profile data breaches.
Data has become more than simply the currency of business and the impact of a data breach is felt far beyond the boardroom. The diverse nature of data breaches has seen everything from the embarrassing Apple iCloud leaks to the loss of project information relating to the F35 Joint Strike Fighter by an Australian defence contractor and the premature release of episodes of HBOs Game of Thrones.
If breaches are all but inevitable, and the network itself is inherently vulnerable, organisations need to protect the data itself. Encryption is the only proven method of protecting data in the event of a breach; rendering the information useless in the hands of unauthorised users.
Why is it then, that only 4% of the breaches published on the Gemalto index involved encrypted data?
It is possible that these organisations see data breaches simply as a cost of doing business in a digitally enabled world. Up until recently, they may have believed that the cost of encrypting data was prohibitive, or that the penalties associated with a breach were inconsequential.
Not any longer.
Setting aside the fact that the cost of encryption solutions has come down in recent years, the opportunity cost and financial impact of a loss of IP, customer data or commercially sensitive information outweighs the cost of the technology. A data breach means more than simply disruption to business as usual.
But wait…There’s more…
Perhaps the biggest change in business attitudes towards a breach will come as a result of the emerging data protection and breach notification regulations.
Data privacy security regulations are no longer just a compliance issue, nor are they just a privacy issue, they involve financial and reputational damage caused by poor security practices. But what is not as well known, is that corporate law, in most jurisdictions, places substantial requirements on directors and executives to exercise due diligence. This includes cybersecurity.
Board members and company executives are being placed on notice to ensure they are doing all they can to ensure the privacy of their customers’, suppliers’ and partners’ data and their own intellectual property and business data.
Unencrypted data is now just a lawsuit (or prosecution) waiting to happen; as consumers and businesses (whose data has been accessed) are looking to the courts to seek financial compensation for organisations’ negligent behaviour.
In the USA, class actions are being prepared by victims of data breaches. Of greatest concern for the board, is that it is not just the organisation itself that could be held responsible for the breach. Individual board members or executives could be held personally liable for a negligent breach.
If that doesn’t sharpen the focus of those involved, nothing will. Ignorance is just as ineffective a strategy as hope.