Cape Town – The threat of cyber criminals makes encryption a necessity rather than optional, says a security expert.
Gemalto’s Breach Level Index indicated that there were 1 600 disclosed corporate breaches in 2015 as cyber criminals ramped up efforts to gain access to personal and financial data.
“Security leaders at organisations large and small need to admit that they are going to be breached - and then figure out what to do from there. What data is going to cause them massive reputational damage? What data, in the event its integrity is compromised, is going to kill their business?” said Neil Cosser, Identity and Data Protection manager for Africa at Gemalto.
He said that hackers have realised the value of personal data over financial information as a strategy to conduct illicit and illegal activities.
“Compare that to what happens when a digital attacker steals your credit card information: If the credit card's compromised, it's comparatively easy for that credit card to be rejected, stopped, and a new credit card issued,” said Cosser.
“Hackers, in short, understand that it’s way harder (or even impossible) to change your ID number than it is to cancel a credit card,” he added.
Cosser said that encryption of data is a critical aspect of security to mitigate the severity of breaches.
“The technology is there. And the rationale for using it is simple: Breach prevention is dead. Our 2015 Breach Level Index showed over 1 600 disclosed breaches worldwide. That led to more than 700 million records being exposed. To put it simply, blocking breaches isn’t working.
“As we watch hackers hone in on data critical to our lives and our businesses, we need to develop a mind-set that accepts attackers will find a way in - but that our critical data is protected so it doesn’t make its way out,” he said.
In SA, few companies readily admit to breaches because of the fear of reputational damage, Panda Security said recently and less than half (41%) recognise the threat of ransomware, a Kaspersky Lab study found.
Cosser argued that the growth of Internet of Everything devices created multiple channels to allows potential hackers in to a home or corporate network.
Hackers in 2014 demonstrated how to compromise a LIFX smart light bulb and Kaspersky researchers recently showed vulnerabilities in smart city road sensors.
“By making the shift from considering more extravagant (and expensive) ways to keep bad guys out to protecting core assets once a diligent hacker eventually gets in, information security leaders will begin thinking in a totally different way. They’ll begin to evaluate risk better and apply core information security controls, encryption, key management, and authentication,” Cosser argued.
“Even when the attacker breaks through, the locked box they find inside is way less useful than the sprawling flows of data they unlocked in the unencrypted past. And, while encryption is one of the most obvious strategies for preparing for a breach, only 48 of the data breaches in 2015 – less than 4% of all breaches – involved data that was encrypted to any degree,” he added.
- Follow Duncan on Twitter