How many times have we heard CEOs of breached companies come out and say that “everything is okay as they didn’t get your credit card details”? That’s reassuring to a point, but we know how cyber criminals can patch together bits of stolen data – along with information readily available online – to launch clever phishing attacks or impersonate their victims. In one recent case, the Reverend Mike Hall found that criminals had stolen his identity to sell his house and bank the proceeds without his knowledge. The first he knew about it was when he drove back to find building work being done at the property.
Cifas, the UK’s counter fraud organization, is warning of a surge in identity fraud as cases filed to the National Fraud Database increased by 11 percent in the first six months of 2021, in a pattern similar to the aftermath of the 2008 financial crisis. Mike Haley, Chief Executive of Cifas, said ‘Our members have seen over half a million instances of identity fraud over the last three years. The increase in the first six months of the year is extremely concerning as it indicates that the volume of identity fraud will continue to rise post-Covid as fraudsters exploit the identities of more innocent victims for criminal gain.”
The sudden shift to working from home has compounded the problems. According to a survey commissioned by SecureAge, forty eight percent of businesses said they experienced a cyber breach during the pandemic.
Online life increases risk
The fact is that these days, the idea that there is sensitive data and non-sensitive data is a flawed concept. All data must be considered sensitive and worthy of strong protection. Considering all data is sensitive also overcomes a major challenge. In a recent Ponemon report, 67 percent of respondents said that discovering where sensitive data resides in their organization was the number one challenge in planning and executing a data protection strategy. Even when data classification technology is used to identify ‘important’ or ‘sensitive’ data, the report found that 31 percent cited classifying which data to protect as difficult.
It’s easy to classify some data such as intellectual property, source code, merger and acquisition plans, financial records, customer records, personally identifiable information (PII), human resources records, etc. But where do you draw the line – if there is a line to be drawn? Manual classification is impractical for most organizations, but automation means that search patterns and rules must be developed, all involving their inaccuracies. And once existing data has been classified, it must become an ongoing process for users to assign classification tags to new, modified or shared data. Staff who just want to get their jobs done may be tempted to subvert or circumvent the system, or intentionally mis-classify data to avoid draconian policies and procedures.
For most organizations, it is challenging—bordering on impossible—to implement effective data classification at scale in order to assign security measures. If it is difficult to identify sensitive data and where it is located, why is it that the accepted norm is to encrypt only the ‘most important’ data?
A lot of this stems from the way we look at data security. The traditional approach is to add more barriers, access controls and authentication mechanisms to stop the cyber criminals from getting to the data. But this is just like building higher security fences with stronger locks, and history tells us that if someone is determined enough or simply lucky, they will get through. And if the data behind the fence is still unprotected, it’s game over.
Time to focus on the data
Rather than trying to stop people from getting unauthorized access to data – we should protect the data itself. Data encryption is the way to do this. It’s been with us for decades and is tried and trusted technology. But most encryption solutions just do half the job. For example, full disk encryption is great for protecting data on a powered-off system. If you leave your laptop on the train or lose a USB stick, no one is going to be able to decrypt your data. But as soon as a PC is powered on, data can be stolen from it – in the clear, not encrypted.
The only sure way to protect all your data, all of the time, is to encrypt everything – at rest, in transit and in use. File-level encryption goes with the data rather than being an attribute of the hardware it happens to be stored on. This means that when a hacker reviews the data they just stole, they will find that it’s useless to them. It’s like beating ransomware criminals at their own game.
It sounds complex and the common misconception is that encrypting everything must be difficult to set up and manage, and that it will have an impact on performance and user experience. However, the reality is that it's perfectly possible to deploy file-level encryption that encrypts all your data, all the time with no decisions or configuration of which folders to encrypt or not. This means that there is no need to decide and classify what data is sensitive and should be protected. Universal file-level encryption is just like Full Disk Encryption – but it works to keep all files encrypted through the life cycle of the data. This way, we are finally building security into the only thing that has value – the data itself.