Attributed to: Rana Gupta, Vice President, Identity and Data Protection, Asia Pacific, Gemalto
Why data encryption is your last line of defense in a data breach
The recent SingHealth is considered the worst attack in Singapore history, resulting in the loss of millions of private records and sensitive data. The leaked data not only affects SingHealth, but everyone else who’s had their data stolen. Perimeter defense alone is not a fool-proof solution in the event of a breach – here’s why you should shift your focus to accepting that a breach is inevitable.
Perimeter-based defenses: No longer up to the task?
In recent years we’ve seen data breaches of various scales, ranging from small-time breaches to large-scale attacks like the recent SingHealth breach (1.5 million users), Facebook breach (87 million users), and the massive Equifax breach (146 million users) in 2017. Currently, the SingHealth breach is under investigation by the COI, signalling the complexity of such a large-scale attack.
A recent study revealed that hackers are 80% more likely to attack organizations in the Asia Pacific (APAC) region due to their cybersecurity infrastructure weaknesses. SingHealth joins the ranks of several other high-profile breaches seen in the region since 2016, making it a thriving environment for cybercrime, rife with low cybersecurity awareness and weak regulations
Deprioritizing cybersecurity is no longer an option. Companies are already taking the necessary steps to ensure that security measures are in place. With threats continuously facing security professionals every day, there has been much discussion of today’s traditional network security.
In a traditional network security setup, firewalls, antivirus software, and intrusion detection systems all work together and are designed to keep threats out. However, traditional network security prevention methods while necessary, may no longer be up to the task. Government contractors and software vendors have fallen victim to large-scale breaches, organizations with fewer IT resources start to wonder whether prevention and fortifying a strong perimeter is the best approach.
Belief vs. reality
In our 2017 Gemalto Data Security Confidence Index report, we found that 94% of businesses claim their perimeter security technology is efficient at keeping threats at bay and unauthorized users out of their network. In the same study, we also found that 65% of businesses are not extremely confident that their data would be secure following a breach. After all, employing perimeter-based security alone does not equate to an impenetrable wall surrounding a company’s IT infrastructure.
A change in (data) mindset
I had a conversation with an ethical hacker once, who told me why he prefers being a hacker instead of a security defense expert. He told me, “As hackers, we just need to succeed once. But as a security defense person, you have to succeed every time!”
Security has always been a game of prevention. But even with multiple layers of security, organizations still fall victim to attacks, proving the ineffectiveness of the perimeter defense without the other complementary layers of security. In fact, 91% of breaches start with phishing emails as the beginning of the infection chain as employees are successfully duped into clicking malicious links.
Suffice to say, even with an effective perimeter architecture, attacks can and will gain access to your data, aka, the ‘crown jewels’. Ironically, data security is an area that most organizations neglect the most, because they are making some of the biggest mistakes organizations make: assuming their defense will work as planned. Most organizations assume the person manning the network operations center (NOC) and the security operations center (SOC) won’t go on holiday that day the first alert comes in. They believe and trust that all the end user training they conducted won’t go down the drain. In an ideal world, all our expectations will line up perfectly with reality, but this is not often the case. Do we really want to take things for granted and face the music when a breach finally happens? Or do we want to prepared for it?
True cybersecurity awareness will assume at the onset that a breach is inevitable. We need to protect everything that’s truly vital to your organization and accept that the rest will be compromised.
What can organizations do then if we now realize a breach is inevitable?
“When your business is eventually breached, will your data be secure?”
At Gemalto, we assume that every business will be hacked at some point – and it will. And that’s why we have a three-step approach to this. Before it happens, we need you to ask yourself these three questions to help secure the breach.
1) “Where is my data?”
Knowing where your sensitive data lies is highly important. This is the first and most important step in any data security strategy. Once located, encrypt it.
Our 1H 2018 Breach Level Index Report shows that 99% of all breaches involved data that was not encrypted. Encryption is the last and most critical line of defense in the event of a breach, so it’s important that it’s done properly in order to be effective.
2) “Where are the keys?”
Now that you’ve identified and encrypted your sensitive data, ask yourself where and how to secure your encryption keys. Knowing how to manage and store your encryption keys is the next step we recommend in securing the breach. This ensures your ownership and control over your encrypted data at all times.
3) “Who has access to my data?”
Data encryption and key management are nothing without identifying who has access to your corporate resources and applications. Key management and control access is the final step of your data breach strategy but a highly important one. Access management provides additional security, visibility, and overall convenience and to verify users’ identity to grant the appropriate access controls.
A multi-layered security approach will most definitely reduce your risk to exposing your sensitive data and those important data from falling into the cyber criminals’ hands. By implementing our three-step approach—encrypting all sensitive data, securing your keys, and managing user access—you can effectively prepare for a breach.