As children we all enjoyed those puzzles where words had their letters scrambled and we had to figure out the secret to make the words or sentences legible. This simple example of encryption is deployed in vastly more complex forms across many of the services we use everyday, working to protect sensitive information. In recent years the financial services industry has added a new layer of encryption called tokenization. This concept works by taking your real information and generating a one-time code, or token, that is transmitted across networks. The benefit is that if the communication is intercepted your real details are not compromised.
According to our Breach Level Index there were 1,765 breaches in 2017. And these breaches are getting faster and larger in scope, over two billion records were lost last year. The fallout for companies is significant so it is in their interests to do whatever they can to protect their customer’s data.
Of course, encryption is a very complicated field of research, and one shouldn’t expect board level executives to understand how the cryptographic algorithms work. But they must understand just how vitally important it is that data is secure, whether at rest or in motion.
Those working on encryption face a challenge to ensure that access to applications, databases and files is unimpeded by the need to encrypt and decrypt data. There is a performance issue here, and so companies need to evaluate and test while decided what data, when, how and where should be encrypted.
The worrying thing is that despite the clear need for such work, there is a distinct lack of cyber security professionals worldwide—and especially in encryption. Indeed, you’ll often see job postings for security positions where experience of encryption isn’t even mentioned.
As the statistics show, this is having a huge effect on companies. In 2017, less than 3% of data breaches involved encrypted data. If we accept that companies are going to get hacked it is imperative that any data that is stolen is rendered useless through encryption.
Encryption would have mitigated the damage to brand image, reputation, company financial losses, government fines and falls in stock prices as well as damage to their executives image and reputation. It is also a major disincentive to criminals as the effort needed to crack the algorithms makes it entirely unprofitable while there are so many other available targets.
So if the problem is so clear, and the solution so obvious, why are companies delaying investing in encrypting data?
Well, many executives I speak to daily in Latin America tell me that the security of their Big Data is handled by their cloud service provider. And if there was a leak, it would be the supplier’s responsibility.
This completely overlooks that customers, authorities, investors and the wider public do not care about this distinction. They will all associate any breach with the company, never a supplier of services. So, while ultimately liability may fall at the feet of the cloud service provider, the immediate and potentially catastrophic impact will be felt by the breached company.
It is therefore crucial that companies start taking serious responsibility for the data of their customers. Whether internal staff or cloud provider, conversations need to be had about how data is encrypted. This includes:
• Checking that the cryptographic algorithms used are certified by international bodies
• Checking to ensure that your cryptographic keys are stored in an environment fully segregated from where you store your encrypted information (whether held by third parties or in your own systems, files, or databases).
PwC suggests that one of the biggest concerns CEOs fear is a cyber-attack. Given the severity of the threat, we must recognize that we are all responsible for promoting data security. And that means adopting best practices for data protection, deploying encryption, and optimizing management of cryptographic keys.