We carried a story earlier this week, that had the worrisome finding that more records of personal information were lost or stolen in the first half of 2017, compared with all of 2016. And this was excluding the recent recount from Yahoo.
The Breach Level Index reported that 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017. Compared to the last six months of 2016, the number of lost, stolen or compromised records increased by a staggering 164%.
“Far more worrying was that less than 1% of the stolen, lost or compromised records were encrypted”
Unsurprisingly, malicious outsiders were reported as the cause for the largest percentage of data breaches at 74%, an increase of nearly a quarter (23%).
However, far more worrying was that less than 1% of the stolen, lost or compromised records were encrypted!
To take this in context, that means that to all intents and purposes, all of the records lost were not encrypted.
Considering that for a moment, that is utterly staggering.
Database encryption has been available on most enterprise level database platforms for more than 10 years, and while initially there was an overhead, today, it is minimal.
Not only that, but there are different methods to implement database encryption, from table, to column and file-level encryption that can impact in different ways, but which again are now reduced to a fairly minimal overall impact.
Added to this is the fact that specific instructions within applications, and even on-chip cryptographic capabilities have been common for about five years, so again, there are few excuses for a lack of implementation.
Even network layer encryption has now come on to the point where it is a realistic option for many organisations that can protect east-west, as well as north-south traffic, ensuring that even if an intruder does get in, or an insider wants to move about, the data is protected.
So, to go back again to that statistic, less than 1% of data lost or stolen was encrypted. While the story does not give a specific breakdown of organisation size, I’d be willing to bet that the majority were enterprise class organisations, be they public or private sector.
For such organisations to almost completely ignore encryption as a means of protection against just such an eventuality, is frankly, incomprehensible.
The infrastructure, the hardware, the operating systems, and the applications all support low-overhead encryption, to the point where it is most often turned on by default. For such recent statistics to reveal that it is in such low use speaks very badly of an understanding of the level of risk that is now prevalent.
I have spoken more than once about the fact that attitudes are now changing for information management, based more on restricted access, and need to know only policies, but with these most recent figures, it appears as if organisations are failing on the basics still.
Organisations need to look at themselves now, perhaps with GDPR as a good spur, to ask if data is being stored correctly, do only the people who need access have access, and is it possible to encrypt it, at rest and in motion, to protect it.
While I’ve never been one for scare tactics, in this instance it seems appropriate that everyone from the database admin to the business unit manager, the CISO, the CIO and the CEO are given the wakeup call to support efforts to ensure that encryption is used to its fullest to protect data, irrespective of what regulatory obligations ask.
As the UK government changed its attitude to cloud computing to the point where new projects must now justify a decision not to go to cloud, so too must organisations change their attitudes to encryption to say why not encrypt. And in fairness, the reason for not encrypting in today’s risk landscape would want to pretty bloody good.