Whenever the news of any data breach surfaces, the first action of most organisations is to take an immediate stock of their IT perimeter defenses and update them to avoid getting breached themselves.
While it is definitely a good strategy to ensure that perimeter defense systems like firewalls, antivirus, antimalware, etc. that act as the first line of defense are always kept updated, focusing only on these defense mechanisms is no longer sufficient in today’s perilous times where hackers are breaching organisations’ cybersecurity more frequently than ever before.
As per the H1 results of Gemalto’s 2018 Breach Level Index, more than 3.3 billion data files were breached across the globe in the first six months of 2018 alone. This figure marks an increase of a whopping 72% over those recorded for H1 2017! And unsurprisingly, more than 96% of these breaches occurred on data that was not encrypted.
The latest victim of data theft in India is Pune-based digital lending startup EarlySalary, who suffered a massive data breach in which the personal details, employment status and mobile numbers of its 20,000 potential customers were stolen. The company discovered the breach only after they received a ransom demand from the hackers, following which they plugged the vulnerability. While the company claimed that the attack was centered on one of its older landing pages, the damage was already done.
With rising cyber attacks such as these, organisations can no longer live under the illusion that once they deploy robust perimeter defense systems, they are safe. Whether it is an attack on startups like EarlySalary that may have rudimentary perimeter defenses or conglomerates like Facebook, SingHealth and Equifax that most likely had deployed top-notch front line defense systems, the common denominator between the data breaches at all these organisations is that they focused only on their front line defenses (perimeter security) while ignoring their last line of defense – data encryption.
Secure the Data, Not Just the Systems
While perimeter security mechanisms indeed act as a strong deterrent against cyber attacks, they are rendered completely useless once hackers gain an inside access to an organisation’s data files.
Whether the data is at rest, or in motion (during transfer), encrypting it is perhaps the surest way of safeguarding it against malicious attacks. Since encryption makes it virtually impossible to decipher the data without the corresponding decryption key, hackers have zero incentive in breaching organisations that have encrypted their data.
Below are three steps that organisations need to take to ensure optimal data protection:
1. Locate sensitive data
First, identify where your most sensitive data files reside – audit your storage and file servers, applications, databases and virtual machines, along with the data that’s flowing across your network and between data centers.
2. Encrypt & Tokenize it
When choosing a data encryption solution, make sure that it meets two important objectives – protecting your sensitive data at each stage and tokenizing it.
Gemalto’s SafeNet Data Encryption Solutions not only encrypt data seamlessly at each stage (at rest and in motion) but also incorporate a proprietary Tokenization Manager that automatically generates a random surrogate value (also known as a Token or Reference Key) for each data file to avoid easy identification.
3. Safeguard and manage your crypto keys
To ensure zero-compromise of your data’s encryption keys, it is important that the keys are stored securely and separately from your encrypted data. Use of Hardware Security Modules (HSMs) is perhaps the surest way of ensuring optimal key security.
When choosing a HSM solution, make sure that the solution also facilitates key management to manage the crypto keys at each stage of their lifecycle – like generation, storage, distribution, backup, rotation, and destruction.
Gemalto’s SafeNet HSMs come with an in-built Key Management feature that cohesively provides a single, robust, centralized platform that seamlessly manages the crypto keys at each stage of their lifecycle.
5 Reasons Why Data Encryption Becomes a MUST
With cyber attacks on the rise with every passing day, the cybersecurity landscape across the globe has witnessed a tectonic shift in the last few years. First line of defense mechanisms like perimeter security are no longer sufficient to prevent data breaches, since after an intrusion, there is hardly anything that can be done to protect the data that is not encrypted.
Realising this, Governments across the globe are introducing stringent regulations like the General Data Protection Regulation (GDPR), RBI’s Data Localisation, PCIDSS and the upcoming Personal Data Protection Law, 2018 in India to ensure that organisations make adequate security provisions to protect their users’ confidential data.
Below are a few reasons why data encryption is no longer “good-to-have”, but “must-have” in today’s world:
1. Encryption Protects Data At All Times
Whether the data is at rest or in motion (transit), encryption protects it against all cyber attacks, and in the event of one, renders it useless to attackers.
2. Encryption Maintains Data Integrity
Cyber criminals don’t always breach an organisation’s cybersecurity to steal sensitive information. As seen in the case of the Madhya Pradesh e-Tender Scam, many a times they breach organisations to alter sensitive data for monetary gains. Encryption maintains data integrity at all times and immediately red flags any alterations to the data.
3. Encryption Protects Privacy
Encryption ensures safety of users’ private data, such as their personal data, while upholding and protecting the users’ anonymity and privacy, that reduces surveillance opportunities by governments or cyber criminals. This is one of the primary reasons why Apple strongly believes that encryption will only strengthen our protection against cyberattacks and terrorism.
4. Encryption Protects Data Across Devices
In today’s increasingly Bring Your Own Device (BYOD) world, data transfer between multiple devices and networks opens avenues for cyber attacks and data thefts. Encryption eliminates these possibilities and safeguards data across all devices and networks, even during transit.
5. Encryption Facilitates Regulatory Compliance
To safeguard users’ personal data, organisations across many industries have to comply with stringent data protection regulations like HIPAA, GDPR, PCIDSS, RBI Data Localisation, FIPS, etc. that are mandated by local regulators. Encryption assures optimal data protection and ensures regulatory compliance.
It’s time for a new data security mindset. Learn how Gemalto’s 3-step Secure the Breach approach can help your organisation secure your sensitive data from cyber-attacks.
*** This is a Security Bloggers Network syndicated blog from Enterprise Security – Gemalto blog authored by Ved Prakash. Read the original post at: https://blog.gemalto.com/security/2018/10/29/data-encryption-from-good-to-have-to-must-have/