Whenever the news of any data breach surfaces, the first action of most organizations is to take an immediate stock of their IT perimeter defenses and update them to avoid getting breached themselves. While it is definitely a good strategy to ensure that perimeter defense systems like firewalls, antivirus, antimalware, etc. that act as the first line of defense are always kept updated, focusing only on these defense mechanisms is no longer sufficient in today’s perilous times where hackers are breaching organization’s cybersecurity more frequently than ever before.
As per the H1 results of Gemalto’s 2018 Breach Level Index, more than 3.3 billion data files were breached across the globe in the first six months of 2018 alone. This figure marks an increase of a whopping 72% over those recorded for H1 2017! And unsurprisingly, more than 96% of these breaches occurred on data that was not encrypted.
The latest victim of data theft in India is Pune-based digital lending startup EarlySalary, who suffered a massive data breach in which the personal details, employment status and mobile numbers of its 20,000 potential customers were stolen. The company discovered the breach only after they received a ransom demand from the hackers, following which they plugged the vulnerability. While the company claimed that the attack was centered on one of its older landing pages, the damage was already done.
With rising cyber-attacks such as these, organizations can no longer live under the illusion that once they deploy robust perimeter defense systems, they are safe. Whether it is an attack on startups like EarlySalary that may have rudimentary perimeter defenses or conglomerates like Facebook, Sing Health and Equifax that most likely had deployed top-notch front line defense systems, the common denominator between the data breaches at all these organizations is that they focused only on their front line defenses (perimeter security) while ignoring their last line of defense – data encryption.
Secure the Data, Not Just the Systems
While perimeter security mechanisms indeed act as a strong deterrent against cyber-attacks, they are rendered completely useless once hackers gain an inside access to an organization’s data files.
Whether the data is at rest, or in motion (during transfer), encrypting it is perhaps the surest way of safeguarding it against malicious attacks. Since encryption makes it virtually impossible to decipher the data without the corresponding decryption key, hackers have zero incentive in breaching organisations that have encrypted their data.
Below are three steps that organizations need to take to ensure optimal data protection:
Locate sensitive data
First, identify where your most sensitive data files reside – audit your storage and file servers, applications, databases and virtual machines, along with the data that’s flowing across your network and between data centers.
Encrypt & Tokenize it
When choosing a data encryption solution, make sure that it meets two important objectives – protecting your sensitive data at each stage and tokenizing it.
Gemalto’s SafeNet Data Encryption Solutions not only encrypt data seamlessly at each stage (at rest and in motion) but also incorporate a proprietary Tokenization Manager that automatically generates a random surrogate value (also known as a Token or Reference Key) for each data file to avoid easy identification.
Safeguard and manage your crypto keys
To ensure zero-compromise of your data’s encryption keys, it is important that the keys are stored securely and separately from your encrypted data. Use of Hardware Security Modules (HSMs) is perhaps the surest way of ensuring optimal key security.
When choosing a HSM solution, make sure that the solution also facilitates key management to manage the crypto keys at each stage of their lifecycle – like generation, storage, distribution, backup, rotation, and destruction.
Gemalto’s SafeNet HSMs come with an in-built Key Management feature that cohesively provides a single, robust, centralized platform that seamlessly manages the crypto keys at each stage of their lifecycle.
5 Reasons Why Data Encryption Becomes a MUST
With cyber-attacks on the rise with every passing day, the cybersecurity landscape across the globe has witnessed a tectonic shift in the last few years. First line of defense mechanisms like perimeter security are no longer sufficient to prevent data breaches, since after an intrusion, there is hardly anything that can be done to protect the data that is not encrypted.
Realizing this, Governments across the globe are introducing stringent regulations like the General Data Protection Regulation (GDPR), RBI’s Data Localization, PCIDSS and the upcoming Personal Data Protection Law, 2018 in India to ensure that organizations make adequate security provisions to protect their users’ confidential data.
Below are a few reasons why data encryption is no longer “good-to-have”, but “must-have” in today’s world:
Encryption Protects Data at All Times: Whether the data is at rest or in motion (transit), encryption protects it against all cyber-attacks, and in the event of one, renders it useless to attackers.
Encryption Maintains Data Integrity: Cyber criminals don’t always breach an organization’s cybersecurity to steal sensitive information. As seen in the case of the Madhya Pradesh e-Tender Scam, many a times they breach organizations to alter sensitive data for monetary gains. Encryption maintains data integrity at all times and immediately red flags any alterations to the data.
Encryption Protects Privacy: Encryption ensures safety of users’ private data, such as their personal data, while upholding and protecting the users’ anonymity and privacy, that reduces surveillance opportunities by governments or cyber criminals. This is one of the primary reasons why Apple strongly believes that encryption will only strengthen our protection against cyberattacks and terrorism.
Encryption Protects Data Across Devices: In today’s increasingly Bring Your Own Device (BYOD) world, data transfer between multiple devices and networks opens avenues for cyber-attacks and data thefts. Encryption eliminates these possibilities and safeguards data across all devices and networks, even during transit.
Encryption Facilitates Regulatory Compliance: To safeguard users’ personal data, organizations across many industries have to comply with stringent data protection regulations like HIPAA, GDPR, PCIDSS, RBI Data Localization, FIPS, etc. that are mandated by local regulators. Encryption assures optimal data protection and ensures regulatory compliance.
It’s time for a new data security mindset. Learn how Gemalto’s 3-step Secure the Breach approach can help your organisation secure your sensitive data from cyber-attacks.