There's no debate over the fact that data breaches are sharply on the rise. In mid-March the chief enterprise risk officer for Visa, Ellen Richey, said that common sense dictates that a challenging economy will produce increased data theft activity - sales of stolen data remains an exceptionally vibrant business despite the downturn. Richey added that: 'security and law enforcement experts have confirmed that cyber attacks on consumers and businesses have intensified in recent months.'
According to the Identity Theft Resource Centre's 2008 breach report, which only tracks incidents involving personally identifiable data, there were 656 reported breaches at the end of 2008, an increase of 47 per cent over the 2007 total of 446. And we're off to a rather distressing start in 2009, with 125 breaches reported in the first three months of the year, affecting 1,553,069 records, according to the Open Security Foundation.
What is more depressing is that the Identity Theft Resource Centre reports that only 2.4 per cent of the companies involved in reported breaches utilized encryption. The vast majority of the exposed data was open to attack, a sad fact that no doubt delighted data thieves and enabled them to profit from the purloined data.
Criminals are so pleased by the discovery of unencrypted data that they are now deliberately targeting small and midsize business, according to information presented at the Visa Security Summit 2009, under the assumption that big business will have already done the right thing and have encrypted data throughout its lifecycle.
Bad assumption, at least as far as the UK is concerned. Recent studies indicate that about half of UK companies of all sizes still do not have a comprehensive plan to encrypt critical data.
Why do many companies continue to be extremely reluctant to use encryption, opting not to deploy it at all or to use it in a piecemeal fashion that provides extremely limited protection?
A disinclination to invest wisely in data security is one reason, but in most cases companies fear that encryption is too hard to set up and use or that it will slow network performance. Other concerns include that it, will impact availability of data for use in critical business processes or result in irretrievable data if something goes wrong with the encryption scheme.
These and other concerns were valid decades ago when encryption technology was in its infancy. But the vast majority of these lingering myths are now incorrect and are stopping companies from utilising a valuable tool that serves as their best ultimate last line of defence if their network is penetrated.
So let's shine the light of truth on some of the most common encryption myths:
Myth 1: Deploying encryption is insanely difficult
People who still cling to this myth are breaking the hearts of thousands of folks around the world who have slaved for many, many years to ensure that enterprise encryption solutions are easy to deploy and maintain - and today's well-designed solutions will leave no one pulling their hair out in a tizzy of technical frustration.
That said, to ensure the best possible deployment a business has to do its homework and spend a bit of time developing a risk-based data security management plan.
Sounds complicated but it's really just a matter of using common sense. Data that is resalable for a profit - typically financial, personally identifiable and confidential information - is high risk data and requires the most rigorous protection; other data protection levels should be determined according to its value to your organisation and the anticipated cost of its exposure - would business processes be impacted?
Would it be difficult to manage media coverage and public response to the breach? Then assign a numeric value for each class of data; high risk = 5, low risk = 1. Classifying data precisely according to risk levels enables you to develop a sensible plan to invest budget and efforts where they matter most.
After classifying the data, you need to map how it flows into, through and out of the company. A complete understanding of this flow enables a business to implement a cohesive data security strategy that will provide comprehensive protections and easier management resulting in reduced costs.
Begin by locating all the places data resides including applications, databases, files, data transfers across internal and external networks, etc. and determine where the highest-risk data resides and who has or can gain access to it (see 'attack vectors' section below). High risk data residing in places where many people can / could access it is obviously data that needs the strongest possible protection.
Once you understand what data needs what levels of protection, and where that data moves or resides, the process of deploying and maintaining an encryption solution is vastly simplified. Risk-based planning is the difference between lighting a candle and groping around, cursing, in the dark.
Myth 2: Managing an encryption solution is excessively complicated
Managing a collection of point solutions can be a challenge, akin to being trapped in a room with a bunch of high-strung toddlers all of whom are excitedly vying for your attention. Centralised solutions are another matter all together - the best are strongly focused on simplifying oversight and administration chores, adhere to the enterprise's security policy and enforce consistency across the enterprise ecosystem.
Myth 3: Encryption will noticeably impact network performance
True about ten years ago but not true now - assuming the business is using a modern encryption solution on a network that isn't already overburdened and running at its performance peak, and / or an overly paranoid IT person hasn't opted to encrypt every single byte that passes through the system with DEFCON level 1 security.
Deploy a good encryption solution aligned with the enterprise's data risk-management profile and you are very unlikely to miss the computing resources needed by the encryption solution (roughly two to five per cent for standard uses). Modern solutions are designed carefully to make the best use possible of available computing cycles and will also take advantage of background processing to help ensure that encryption is has virtually no impact.
Myth 4: Encryption will negatively impact data availability
Your encryption solution should be all but transparent to users, if your security policies are granular and well thought out. If so, and if performance is still not what it should be, begin troubleshooting by looking carefully at enterprise use patterns. What applications are accessing the database or data warehouse most often?
Are your users performing sophisticated data analysis on a regular basis, or just viewing reports? Where are the bottlenecks? Once you have a good feel for what the problems are, you can investigate offerings such as optimization techniques, data marts and operational data stores to perk up performance of your database or data warehouse.
Myth 5: A technical or staffing problem could make it impossible to decrypt our data
A good encryption solution will help ensure that your data isn't rendered unreadable if the head of IT suddenly decides to run away from home to join the circus or otherwise goes rogue.
There are checks and balances, backups and double-authentications involved, just like the enterprise accounts payable system. Should your encryption key somehow get lost or become otherwise unavailable, you'd use the built-in key restoration tool to get back on track and decrypt that data.
Encryption is already in place and working perfectly in many enterprises, with legacy, off-the-shelf and customised applications, in mixed platform environments, on big iron and sleek servers. There's simply no sensible reason to delay deploying this critical method of data defence.
