The Failings of Blanket Encryption
As the rate and severity of data breaches increase, industry leaders in the IT sector have sought more all-encompassing measures to safeguard sensitive information stored on company systems.
Many have identified the lack of blanket encryption for company files to be the primary cause of compromising data exposure following successful hacks by cyber criminals.
While the majority of stolen data consists of non-encrypted files, the question remains if blanket encryption is an efficient solution for maintaining IT security with an organization.
So what are the issues?
Blanket encryption presents several big drawbacks. Some of the more basic issues are already well known amongst cyber security professionals. First and foremost, blanket encryption relies on encryption keys in order for legitimate users to gain access to relevant files. Keys must be securely stored and access restricted appropriately.
Furthermore, keys themselves often become the target of malicious attacks on a system. Encryption merely shifts the information vulnerability from the sensitive files themselves, to the relevant keys stored on an organization’s database.
The threat of targeted attempts to obtain keys has lead industry leaders to develop security safe-locks that delete the keys from a system the moment indications of a hack are identified.
Logistical issues emanating from blanket encryption can also interfere with company operations. IT managers must ensure that all relevant users have access to keys when the needs arise. Coordinating access and configuring inline devices, especially in an era that demands remote system access, is a major task for even well equipped IT departments.
Encryption also faces an operations challenge when interfacing encryption protocol with existing applications. End users dealing with encrypted files have to be trained in how to operate primary task applications with encrypted data. Collaboration and sharing is also severely impaired when multiple members of a work team require regular access to an encrypted file.
But most importantly:
On a fundamental level, maintaining blanket encryption creates an environment advantageous to hackers. Research demonstrates that nearly all data breaches, over 90 percent, begin with phishing or other tactics by hackers to target users with malicious code which victims then inadvertently download onto company systems.
Hackers often resort to encrypting files containing viruses in order to avoid detection. The commonality of malware delivered to victims being encrypted increased from just two percent in 2015, to over 20 percent of all instances as of May 2017. According to a recent estimate, half of all malware will use some type of encryption to conceal delivery by 2019.
The bottom line:
Malicious programs can “blend into the crowd” within a system using blanket encryption, as system managers have to go to significant lengths to identify the content of any given file. Increased efforts within the cyber security community to identify encoded viruses using markers readable by a computer even in its encrypted state, demonstrate the pressing problem encryption poses to IT security maintenance.
A more focused alternative to blanket encryption uses the method of content aware discovery, to classify and assess data before it is encrypted. By limiting the amount of encrypted data on a system, content aware discovery can use encryption as a factor in identifying malicious files.
The method assesses traffic through a system and attempts to inspect the contained packages. If the encryption of a file prevents this, it serves as an indication that the file is foreign to the system. DLP protocols then kick in to isolate or discard the file before it is able to potentially release a payload and/or ex-filtrate data.
By implementing a targeted as opposed to blanket approach to file encryption, system managers are able to maintain more clarity, and therefore more accuracy, in identifying hacking and / or preventing hacking or data exfiltration attempts.
Insider Threats, preventing data exfiltration
The digital economy is undergoing remarkable transformation and security is being compelled to evolve as organizations embrace services that are more dynamic in nature. The things organizations do to grow, innovate, and drive performance change the cyber risk landscape every day.
Business leaders today are realizing that the digitalization is fundamentally enabling sharing of information across a multitude of platforms, not necessarily protecting it. They recognize that they are essentially at the mercy of their own employees and third parties associated with them to handle crucial business sensitive information.
On the other hand, cyber security incidents, including breach and disclosure of intellectual property, customer data, other sensitive data (e.g., GDPR, PII, PHI, PCI), are increasingly pervasive in today’s business environment. Data is one of a organization's most vital asset and the cyber risks associated with data is crucial for any organization. According to a 2017 Insider Threat Report, out of all the potential cyber threats in the wild, insider threats is one of the most prevalent threats and associated incidents have risen due to economic conditions and insider access accorded to non-approved third parties.
So, fundamentally who is an insider threat? Any employee who has the potential to harm an organization for which they have inside knowledge or access. The past several years have seen some of the history's most high-profile data breaches. The extent of data loss across the organization is incrementing year by year and so are the associated challenges in protecting the data.
The Ponemon Institute’s 2017 Cost of a Data Breach study estimates that in the US, the cost per record of a data breach is $201 per record (including many factors, direct and indirect). Those costs jump to $215 per record in the case of malicious attacks, or incident involving third parties. Obviously, this can add up to hundreds of thousands, or millions, depending on the amount of sensitive data involved.
But what the various cost analyses of cyber incidents don’t take into account is that malicious attacks are increasingly aimed not at the theft of sensitive data, but the serious disruption of operations, the elimination of data, or theft of intellectual property or information that can permanently impact market share and competitive advantage.
Recent attacks demonstrate that we need to change the game
There are multiple types of insider incidents seen across industries. The GTB perspective is that organizations cannot succumb to thinking of themselves as passive victims of cyber crime. However, we need to take stock of the fact that, it is our own relentless leveraging of technology, which create gaps that cyber criminals exploit.
To manage the risks arising from internal threats from a cyber risk perspective, though, means that it has to be taken on as a business problem. Executives do not need to suddenly become cyber security experts, but need to lead the discussion with an emphasis on:
- Focus on risk mitigation versus compliance requirements: Many organizations are heavily focused on addressing audit and regulatory findings, but the solutions implemented often do not help reduce risk and address threats that the company faces.
- Build and maintain a comprehensive inventory of sensitive assets and data: Many organizations don’t know where their data is. It’s very difficult to appropriately protect data if you don’t know where it is collected, stored, used, and transferred both inside and outside the organization.
- Focus on implementing solutions to protect data and monitor for data loss at the “data layer”: Many organizations are not effectively implementing critical capabilities such as Data Loss Protection (DLP) solutions, encryption and database activity monitoring, among others. Building the capability to monitor systems, applications, people, and the outside environment to detect incidents more effectively.
- Consistently execute the security fundamentals: Many organizations are still not consistently executing fundamental data protection capabilities (e.g., patching, privileged access, asset management), which leaves sensitive data even more vulnerable.
This may require more investment, but it may also simply entail a new approach. The crux of that approach is to recognize that managing cyber risk must be an inherent aspect of growth and innovation strategies. The two cannot be separated.
How secure is your data? Do you REALLY know? Find out now