Around this time of year, it has become a bit of a tradition for us to look back on the previous year and lament over the state of the cyber-security landscape. We all begin the new year with the hope that last year’s breach statistics will be better than the year before but, for the most part, we’ve been disappointed.
Cyber security experts recall that 2014 promised to be the year of encryption; but five years later, annual security research surveys continue to show no more than 4% of breached data is protected by encryption.
Statistics can be misleading. Depending on which survey you read, the volume of records lost or stolen last year went up, or down. Truth Finder recently published a report based on data from Experian and the Identity Theft Threat Centre. It claims the number of breaches was down from 1597 in 2017 to 1232 in 2018. However, volume of records compromised rose by 133%.
This number is disputed by another report from RBS that states the total number of records was down one third on the year before, to around 5 billion. However, the first half 2018 report from Gemalto shows 3.3 billion records compromised in the first 6 months.
Overall, the picture for the past 6 years is less than encouraging. Since it began its breach level index in 2013, Gemalto has the number of lost or stolen records standing at 14.7 billion.
When is a breach not a breach?
The introduction of the GDPR in May of 2018 has had wide ranging implications for data governance; not just within the EU, but worldwide. There have been high-profile penalties for major tech firms under the new legislation and a much stricter set of guidelines surrounding “breach etiquette”.
Significantly, the GDPR encourages data protection through the use of “effective encryption”. When breached data is protected by effective encryption, the GDPR does not consider the breach to be a “qualifying” breach under its guidelines, hence no penalties apply.
Information Age reports that, in the eight months following the introduction of the GDPR, European firms reported over 59,000 breaches. Despite pressures to do so more quickly, the average time taken for a company to disclose a breach in 2018 was still 47 days.
What’s stopping you?
The argument for hardware encryption as the best, last line of defence has been made repeatedly; so why is it that only 4% of the breaches that made it to the Breach Level Index involved encrypted data? Why are only 30% of enterprises using encryption to protect their core infrastructure?
Is it that encryption is still seen as a strategy only employed for government and military applications? This couldn’t be further from the truth. Senetas customers come from a broad spectrum of industry verticals; including cloud service providers, private banks, engineering firms, consumer websites and oil & gas exploration companies.
Is it that encryption is seen as something only for enterprise-grade businesses? If the critical infrastructure breaches in the US last year showed us anything, it’s that even small firms should be encrypting their data. Smaller supply chain organisations were used as a gateway to larger, more sophisticated systems, resulting in unauthorized access to critical command and control systems within the national electricity supply grid.
Perhaps it’s because of the perception that hardware encryption is in someway complex, requiring significant management resource and adding data overhead and latency to the network. Again, this is a misconception. The reality is the complete opposite.
Senetas hardware encryptors are as simple as plug and play. The hardware goes in the rack, you launch the CypherManager software on a PC and configure the network, and it immediately detects, and starts encrypting, your links. It’s as simple as that. No queues of security and other patches, no network and business disruptions and no additional staffing overheads. In addition to encrypting the data, the encrypted links are also protected against the injection of rogue data.
So, will 2019 be the year of encryption? Well, the early signs are that it’s going to be another big year for breaches. According to IT Governance UK, January already saw 1.7 billion records compromised. Given that breaches are almost inevitable, organisations should start thinking about encryption in terms of business assurance, rather than as an insurance cost.
You don’t have to just take our word for it, here’s what IDC has to say on the matter.
“As data migrates away from the enterprise premises and to the cloud, network security is no longer sufficient to protect your data. Regulatory compliance and sovereignty issues are forcing companies to rethink their security stance. You need new data security methods to protect today’s IT landscape, and this starts with encryption.”