Paid feature Heres the irony of ransomware data breach stories that gets surprisingly little attention: cybercriminals enthusiastically encrypt and steal sensitive data to extort money and yet their victims rarely bother to defend themselves using the same obviously highly effective concept.
It should be a no-brainer. If sensitive data such as IP are competently encrypted, that not only means that attackers cant access or threaten to leak it, in many cases they wont even be able to see it in the first place all encrypted data looks alike.
Ransomware is like a tap on the shoulder, telling everyone they have a problem. Its not that criminals are able to reach the data perhaps thats inevitable but that when they get there, the data is defenceless, exposed. You could even argue that ransomware wouldnt exist if encryption and data classification had been widely adopted in the Internets early days.
Historically, the calculation has always been less clear cut. Using encryption (or tokenisation) across an organisations data is seen as adding complexity, expense and imposing a rigour few beyond elite regulated industries and government departments are willing to take on. Its an issue thats not lost on Thales UKs cybersecurity specialist Romana Hamplova, and Chris Martin, IAM pre-sales solutions architect.
Ransomware targets sensitive data. But if the attackers cant see the contents of the file because of encryption, they cant see that its sensitive, agrees Hamplova. "On the other hand, there is no need to encrypt all data, only the data that qualifies as worth protecting. Just as you don't want to have exposed/unprotected all/sensitive data, you also don't want to have maximum security applied to public data because that just slows down the infrastructure.
The catch, she says, is that organisations often arent always certain where that sensitive data is in an increasingly complex world where data gets moved around, deleted, changed, and re-classified. In many cases, they dont have any easy way to identify what is and isnt sensitive. What youre left with is a form of data paralysis where organisations default back to trying to stop access to sensitive data rather than protecting the data itself.
The first job for organisations is to understand what data they have. We enable them to discover the data in both structured and unstructured format and scan those locations and find out what data is there. For instance, perhaps they want to understand what GDPR data they have, or to adhere to PCI-DSS or HIPAA, says Hamplova.
The ongoing chaos surrounding data and what to do with it was confirmed by Thaless 2021 Thales Data Threat Report, which found that three quarters of the 2,600 global IT respondents questioned werent certain where all their organisations data was located.
Less than a third said they were able to classify or categorise it according to sensitivity. Interestingly on the data protection side, despite 42 per cent saying theyd experienced a data breach within the previous 12 months, half of victims were still able to avoid making a notification to information commissioners because the stolen data had been encrypted.
In terms of near-term spending priorities, 37 per cent of respondents mentioned encryption, only one per cent less than the percentage mentioning data loss prevention. An identical 37 per cent rated tokenisation as the most effective technology for protecting data, followed by data discovery and classification at 36 per cent, with encryption seen as the most effective by 34 per cent.
Working from home has made organisations aware of the data risks they have been taking, says Martin. When people are in an office, there is an implicit amount of security. With working from home, the implied security is lost. You dont have the visibility of that person sitting in front of their computer.
Architectural changes such as cloud access exacerbate this. Whats happened in the last 18 months is that companies are protecting their VPN. But employees are using applications that are not internal, so VPN access wont necessarily control access to the applications or data. They are now separate.
Another anxiety was the burden of software complexity itself, with organisations securing themselves using a mesh of overlapping tools. For example, 40 per cent or organisations admitted to using between five and seven different key management systems, with 15 per cent putting the number at between eight and ten. Much of this headache is caused by the growing importance of diverse cloud platforms.
The companys 2021 Access Management Index uncovered a similar picture with authentication, with 34 per cent of respondents in the UK admitting that they used three or more authentication tools, with 26 per cent using three to five, and 8 per cent putting the number at more than five. That level of complexity makes management harder but also significantly raises the likelihood of misconfiguration and error.
By coincidence, just as the pandemic sent everyone scurrying to their spare rooms to work in early 2020, US super-body NIST published its first draft of SP 1800-25, which for the first time offered specific advice on coping with ransomware. This was followed in June this year with the NISTIR 8374, which related anti-ransomware strategy to the organisations risk-oriented Cybersecurity Framework, first published in 2014.
Built around the overarching Framework, everything NIST publishes these days is quickly funnelled into best practice presentations the world over. Its influence is being felt across an industry that cant pretend it hasnt been warned, agrees Martin.
The significance of this is huge. We are used to regulations such as PCI-DSS and GDPR, but NIST is trying to raise the profile of ransomware. It affects the supply chain. NIST is trying to use its weight to do something about this sooner rather than later. The urgency has been raised.
Frameworks work in a different way to rules. Rules create boundaries, a narrow focus, and the risk of the infamous tick box mindset that says that if the rule has been followed, the job is done. Twenty years of cybersecurity failure says rules arent enough. It could be that frameworks encourage more nuanced, long-term thinking.
Even though companies dont necessarily have to comply with the NIST recommendations, they still like to follow it because they understand that it is best practice, says Hamplova. We have been recommending best practice for years but unless there is a third-party body like NIST it doesnt always have enough strength. Having a guideline like this can help companies to focus.
A wider challenge remains the need to translate best practice into something which can be understood and implemented under real world conditions. Thales currently offers a wide range of data protection products and technology across the cybersecurity stack, bolstered by acquisitions including Alcatel Lucents cybersecurity division (2014), Vormetric (2016), and Gemalto (2017).
The Thales portfolio covers a large proportion of the data protection stack, starting with data classification and encryption, addressed by the CipherTrust platform. This also maps to the risk assessment subsection within the NIST Frameworks Identify risk assessment category (ID.RA). A critical element of CipherTrust is its transparent encryption approach, which means it is processed automatically without manual intervention.
In our systems, encryption should always be transparent to an authorised user or application, to ensure business processes run uninterrupted comments Hamplova.
As well as file encryption, CipherTrust also allows organisations to apply and manage encryption and tokenization for applications and databases using APIs. The second layer is access control and authentication, provided by SafeNet Trusted Access, which corresponds to NISTs Protect, access control category (PR.AC). Within the context of home working, SafeNet adds a layer of security that is more reliable than naively relying on VPNs alone.
This must go beyond simply identifying the user, says Martin. Its also about the context, for example where they are located. We can geo-locate with IP address or mobile phone. If someone is doing something from the same IP address as their home, we have a greater degree of confidence about their identity. Its about taking authentication to the next level.
Both Hamplova and Martin are cautiously optimistic about the latest cybersecurity bandwagon, zero trust (ZT), which can be thought of as a software-defined perimeter. The idea is a good one assess users, credentials, or applications before allowing them access but there are still practical difficulties in implementation. It would be perverse if an attempt to reform the nave trust in credentials that has caused so many cybersecurity problems simply created new layers of complexity.
Our society innovates built on trust. When we talk of zero trust, its not about being unable to trust anything but about establishing the right element of trust and build from there, says Hamplova.
Martin agrees: Is zero trust impossible? Ultimately, you have to trust someone or something in your organisations, or externally when accepting trust certificates.
The issue of complexity remains a lurking worry with too many trust gateways being used to manage poorly integrated technologies. If authentication becomes too complex, trust becomes impossible to deliver. The Thales perspective is that the acid test for cybersecurity is whether it can protect data.
Says Hamplova: As all cybersecurity specialists know, there is no nirvana! Its always about making it harder for the cyber criminals to reach the critical data and ensuring your organisation is resilient enough to continue operating, should the worst happen.
This article is sponsored by Thales.
- UK Government Apparently Hoping It Can Regulate End-To-End Encryption Out Of Existence - Techdirt - January 12th, 2022
- Android Encryption on the rise: Do I need To encrypt my smartphone? - Phandroid - News for Android - January 12th, 2022
- The Next Evolution of the Database Sharding Architecture - InfoQ.com - January 12th, 2022
- Encryption Software Market Scope and overview, with Highest growth in the near future by leading key players - Taiwan News - January 12th, 2022
- CGV Research | Why Solana May Become the iOS of the Encrypted World? - NewsBTC - January 12th, 2022
- Swiss Army Bans WhatsApp And Other Foreign Encrypted Messaging Services - Lowyat.NET - January 12th, 2022
- Organic aggregates: new insights on white light - EurekAlert - January 12th, 2022
- You'll have to spell out an encryption law - BollyInside - January 12th, 2022
- NEC develops secure biometric authentication tech to enable certification with encrypted face information - Japan Today - December 22nd, 2021
- Experts warn against Originator Traceability Proposals that weaken Encryption - ThePrint - December 22nd, 2021
- Encrypt your emails from end to end for a lifetime with this software - TechRepublic - December 22nd, 2021
- Barrowford man who used encrypted phones to deal drugs jailed for more than 11 years - Burnley Express - December 22nd, 2021
- 'I'm a big believer in encryption technology,' says the former chairman of the US SEC. - BollyInside - December 22nd, 2021
- 5 upcoming WhatsApp features: New call interface, quick replies and more - The Indian Express - December 22nd, 2021
- Cloud Encryption Technology Market Growth Opportunities, Driving Factors by Manufacturers, Regions, Type and Application, Forecast Analysis to 2027 -... - December 22nd, 2021
- Metas Biggest Encrypted Messaging Mistake Was Its Promise - WIRED - December 3rd, 2021
- VeraCrypt 1.25 drops Windows 8.1 and 7, and Mac OS 10.8 and earlier support - Ghacks Technology News - December 3rd, 2021
- GBT is Enhancing qTerm's Cybersecurity Technology to Provide a Higher Level of Data Protection For its Users - GlobeNewswire - December 3rd, 2021
- What is Encryption? Definition, Types & Benefits | Fortinet - November 29th, 2021
- Decentralising end-to-end encryption with a new security protocol - The Hindu - November 29th, 2021
- Device encryption in Windows - November 29th, 2021
- How to Enable end-to-end Encryption for one-to-one Calls in Microsoft Teams - BollyInside - November 29th, 2021
- How the 5G industrial IoT will change different verticals - IT Brief New Zealand - November 29th, 2021
- Boxcryptor protects business data in Microsoft Teams with end-to-end encryption features - Help Net Security - November 25th, 2021
- NordLocker goes mobile: Encrypt your files on iOS and Android now with 60% off - GlobeNewswire - November 25th, 2021
- How Does End-To-End Encryption Works In WhatsApp? - Wales247 - November 25th, 2021
- Email Encryption Market Research Report by Type, by Component, by Industry, by Deployment, by Region - Global Forecast to 2026 - Cumulative Impact of... - November 25th, 2021
- Yes, ransomware is your number one security nightmare. But heres how to sleep easy - The Register - November 25th, 2021
- How To Talk to Strangers Where No One Can See You - The Phoenix - Swarthmore College The Phoenix Online - November 20th, 2021
- How to Encrypt WhatsApp Chat Backups with End-to-End Encryption in iCloud - BollyInside - November 20th, 2021
- Vaultree's Executive Team and Advisors Drive Innovation in the Cybersecurity Industry - Yahoo Finance - November 20th, 2021
- Will you be ready when quantum breaks encryption? Steps to take now to prepare - Lexology - November 17th, 2021
- Why You Should Encrypt Your WhatsApp Backups in iCloud - Lifehacker - November 17th, 2021
- Cape Privacy Forges Partnership with Snowflake, Enabling Financial Services Organizations to Use Encrypted Data for Predictive Modeling in the Cloud -... - November 17th, 2021
- UK Government awards 555k to help fund new ways to protect children within end-to-end encrypted environments - ResponseSource - November 17th, 2021
- WhatsApp starts rolling out end-to-end encryption for ... - November 15th, 2021
- Quantum Xchange Collaborates with Thales to Enable Quantum-Safe Key Delivery Across Any Distance, Over Any Network Media - Yahoo Finance - November 15th, 2021
- Thrio Reduces Risk of Data Loss with Global Redaction and Encryption - WFMZ Allentown - November 15th, 2021
- When it comes to securing systems against quantum computers, there is no one-size-fits-all solution - Help Net Security - November 15th, 2021
- Hacking group says it has found encryption keys needed to unlock the PS5 [Updated] - Ars Technica - November 15th, 2021
- Opposition Parties 'Surprised' by Lack of Encryption Amid Cyber Attack - VOCM - November 15th, 2021
- Everything Blockchain Announces OEM License of Its Zero Trust Data Access Platform - GlobeNewswire - November 15th, 2021
- Alexander: Turn off the more complex encryption in Windows 11 Pro - Minneapolis Star Tribune - November 8th, 2021
- Encryption, inequality and Zero DOM: 6 pocket listing takeaways - Inman - November 8th, 2021
- Apple Can Secretly Read Your WhatsApp MessagesThis Is How To Stop It - Forbes - November 8th, 2021
- The double-edged sword of encryption - TechRadar - November 8th, 2021
- An Open Letter to City Council and the City Manager on Police Encryption. Category: Public Comment from The Berkeley Daily Planet - Berkeley Daily... - November 8th, 2021
- PSD2 & Open Banking Biometric Authentication Market Research Report by Function, by End Users, by Region - Global Forecast to 2026 - Cumulative... - November 8th, 2021
- WhatsApp to alert users with new security code. Read why - Mint - November 8th, 2021
- Cloud Encryption Service Market Size and Overview: 2021, Industry Share, Key Developments, Geographic Comparison, and Drivers till 2028 Bolivar... - November 8th, 2021
- Cloud Encryption Market Revenue, Share, Size and Trend Analysis 2021 to 2027 LSMedia - LSMedia - November 8th, 2021
- RCMP wants to use AI to learn passwords in investigations, but experts warn of privacy risks - The Globe and Mail - November 8th, 2021
- EXPLAINED: Why End-To-End Encryption May Not Mean That Nobody Can Read Your WhatsApp Chats - News18 - October 30th, 2021
- Only 17% of US Companies Encrypt Over Half of Their Cloud Data - WebProNews - October 30th, 2021
- Database Encryption Market To Witness the Highest Growth Globally in Coming Years 2020-2025 | Intel Security (Mcafee), Microsoft Corporation,... - October 30th, 2021
- Encryption Software Market Size To Record A Substantially CAGR Over 2017-2030 Puck77 - Puck77 - October 30th, 2021
- Growth Prospects of Cloud Encryption Gateways Market: Business Outlook 2021-2026 by Oracle, IBM, Microsoft, Salesforce, Vormetric, Ciphercloud, and... - October 30th, 2021
- Homomorphic Encryption Market Growth Overview of Top Companies : Microsoft,IBM Corporation,Galois,CryptoExperts,Enveil,Duality... - October 30th, 2021
- Messenger: from now on, voice and video calls will have end-to-end encryption MRT - Market Research Telecast - October 30th, 2021
- Encryption Key Management Market Growth Overview of Top Companies : Thales Group, IBM, Egnyte, Google, Alibaba Cloud Computing, Box, Amazon,... - October 30th, 2021
- Google Drive Alternatives: Improving Privacy and Security - TechSpot - October 30th, 2021
- Future Growth Of IoT Security Solution for Encryption Market by New Business Developments, Innovations, And Top Companies - Forecast To 2026 -... - October 30th, 2021
- If WhatsApp chats are end-to-end encrypted, how are personal chats of celebs leaking? - BGR India - October 30th, 2021
- WhatsApp rolls out encryption for chats backed up in the cloud - Mashable - October 17th, 2021
- WhatsApp now lets users encrypt their chat backups in the cloud - TechCrunch - October 17th, 2021
- Meet the Alliance for Encryption in Latin America and the Caribbean - EFF - October 17th, 2021
- Apples plan to scan images will allow governments into smartphones - The Guardian - October 17th, 2021
- WhatsApp to bring in encryption for backup chats after privacy fears - The Guardian - October 15th, 2021
- WhatsApp end-to-end encrypted backups are rolling out on both Android and iOS - GSMArena.com news - GSMArena.com - October 15th, 2021
- Encryption: Why security threats coast under the radar - Philstar.com - October 15th, 2021
- Encryption Management Solutions Market 2021 : Industry Analysis ,Size, Share, Revenue, Prominent Players, Developing Technologies, Tendencies and... - October 15th, 2021
- TLS Support Redis - October 12th, 2021
- Signal >> Documentation - October 12th, 2021
- Encryption Consulting announces their first-ever virtual conference - "Encryption Consulting Virtual conference 2021." - Tyler Morning... - October 12th, 2021
- [Update: Rolling out] WhatsApp adds end-to-end encryption for Android cloud backups - 9to5Google - October 12th, 2021
- Homomorphic Encryption Market New Coming Industry to Witness Great Growth Opportunities in Coming Years From 2021 to 2027: Microsoft (US), IBM... - October 12th, 2021
- SmartKargo Incorporates EDIfly Advanced Aviation Messaging At No Cost for Customers of its E-Commerce Logistics Solution - Yahoo Finance - October 12th, 2021
- No outages, no data leaks: The new WhatsApp killer built on the blockchain creates privacy-focused encrypted messenger - Cointelegraph - October 12th, 2021
- Mosyle's $ 16M Series A Drives Growth by Launching the Mosyle Business with the Market's First Encrypted DNS Filtering and Security Solution -... - October 6th, 2021
- Tips to Secure and Encrypt your WIFI Network Security - H2S Media - October 6th, 2021