In today’s digital world, data is the crown jewel, the pièce de résistance. And with the steady pace of major data breaches, securing sensitive data must be a top priority for organizations across the globe. In fact, Verizon’s recently issued 2017 Data Breach Incident Report analyzed 42,068 security incidents – of which 1,935 were data breaches – across 84 countries. The issue of cybersecurity is truly global in scale.
Here’s what’s encouraging: countries around the world are waking up to the reality of the need for security at the data level. In our recent 2017 Global Encryption Trends Study, issued in conjunction with the Ponemon Institute, we found that enterprises have accelerated their adoption of encryption strategies. In fact, 41 percent of respondents said their organization has an encryption strategy applied consistently across the enterprise compared to less than 15 percent in 2005, the first year of this study.
The sheer number of high-profile data breaches and cyberattacks underscores this growing need for encryption, as well as the need to protect a broadening range of sensitive data types. The stakes are simply too high for organizations to stand by and wait for an attack to happen to them.
In my previous blog entry, I wrote on the evolution of encryption. Taking this a step further, I will dive into three key trends for encryption and their impact on global organizations and governments.
In response to the ever-increasing number of high-profile data breaches, lawmakers and regulators around the world are strengthening existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external threats.
Top of mind for European organizations is a new legal framework known as the General Data Protection Regulation, or the GDPR. These new requirements will go into effect May 2018, but 2017 will be an important year to prepare for compliance. This regulatory framework affects every business offering goods or services to EU citizens, regardless of where the company resides.
The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations approach data privacy. For a closer look at why businesses need to begin preparations for the GDPR now, check out my colleague Peter Carlisle’s latest blog post.
In Mexico, violations of Mexico’s federal law on the protection of personal data held by private parties often lead to high fines and penalties. In fact, the regulation’s fines can grow up to 320,000 times the Mexico City minimum wage – and fines at or near this limit have been levied. A recent report found that, despite the financial burden, breaches among Mexican organizations in the last year alone were up more than threefold from the previous year.
In Japan, the country’s amended Act on the Protection of Personal Information (APPI) is soon going into effect. The amended APPI applies to “personal information handling business operators,” which is defined as a person providing a personal information database for use in business. Although there are limited exceptions to this definition, certain obligations under the amended APPI will apply to most businesses using a personal information database for their business in Japan, regardless of the place of incorporation. The deadline for full compliance with APPI is May 30, 2017, and Japanese enterprises are making compliance a top IT security spending priority.
In our neck of the woods, U.S. organizations will be quite familiar with well-known compliance standards such as HIPAA/HITECH, PCI DSS and Sarbanes-Oxley. Organizations required to meet compliance standards are typically those handling vast quantities of personal and financial information, particularly financial, retail and healthcare companies. This data is extremely attractive to cyber criminals and fraudsters.
Healthcare data has become highly desirable to bad actors, and much more valuable than credit card information. The enormous detail available in patient records makes it possible for criminals to not only apply for credit cards or loans, but also to generate large sums from fraudulent medical charges – or even to compromise a patient’s existing financial accounts.
Compliance requirements are certainly driving data security decision-making in U.S. healthcare, with 57 percent of healthcare organizations listing it as the top spending impetus. That’s according to the 2017 Thales Data Threat Report, Healthcare Edition, which was issued this February. In contrast the report found that compliance ranks near the bottom of spending drivers among healthcare respondents outside of the U.S. Instead, the top two motivations for security spending are “preventing data breaches” (39 percent) and “protecting reputation and brand” (also 39 percent). These findings further underscore the differences between the U.S.’s privately focused healthcare system – and its emphasis on regulations – from areas of the world where healthcare is less regulated or primarily government-operated like in the UK.
Unfortunately, compliance is only somewhat helpful in addressing data security concerns. Cyberattacks change daily and hourly, but compliance regimes take many months and years to update. This leaves compliance mandates requiring organizations to use protection methods that attackers may have already circumvented. Compliance is certainly a baseline standard and a good starting point, but it is not a foolproof strategy for protecting sensitive data.
One of my favorite analogies for compliance is this: Think of compliance as a bridge. It’s the bridge that allows your company to cross the water and enter the castle. But what’s protecting invaders from also crossing that bridge? That’s right – you need guards, and a moat, cannons, and maybe some dragons. With determined attackers able to breach any organization’s perimeter, it’s time for organizations to realize that compliance isn’t enough.
As information moves to the cloud, data may be under an organization’s logical control but physically reside in infrastructure owned and managed by another entity. This shift in control is the number one reason new approaches and techniques – such as encryption with strong key management – are required to ensure organizations can maintain data security.
This question now arises: once highly sensitive data, such as personally identifiable information (PII) or personal health information (PHI), is sent to the cloud, how can organizations continue to prove to the compliance office that they have control of their data? According to the Global Encryption Trends Study, 67 percent of global organizations are tackling this in one of two routes: they either perform encryption on premise prior to sending data to the cloud, or encrypt in the cloud using keys they generate and manage on premise.
In our recent report on advanced technologies, we found that concerns about using cloud environments are still quite high, but have dropped somewhat from a year ago – typically in the range of 8-12 percent from last year. Perhaps this is because most reported problems for cloud environments have stemmed from a compromised credential or account at the enterprise level, not the cloud provider.
Inherently, all cloud service providers (CSPs) have some security included in their service offerings, and some security is better than no security. Most cloud providers enable network encryption by default to protect data in transit and the majority of cloud providers offer encryption for data at rest, in the event it is leaked from the cloud service.
The security of any cloud service, however, depends on the level of protection given to the cryptographic keys used to protect sensitive data. These keys are the root of trust in an enterprise’s entire system – if they are lost, so is the data. If they are stolen, secrets might not stay secret for long. Just as with on-premise systems, when you move data to cloud services, it is critical not only to protect it, but to properly manage and secure encryption keys.
Thales partners with the leading CSPs – Amazon Web Services (AWS), Google, Microsoft and Salesforce to ensure enterprises can control their cryptographic keys. This enables enterprises to trust that service with their most valuable assets, giving them the confidence to accelerate their cloud deployments.
Traditionally an organization’s encryption strategy would have fallen primarily within the confines of its IT team. However, findings from our most recent Global Encryption Trends Study show that the balance of power has shifted.
For the first time in the history of the study, business unit leaders now have the highest influence over encryption strategy – up from 10 percent in 2005 to 30 percent in this year’s study. In contrast, the influence held by IT operations has significantly decreased over the same time period from 53 percent to 29 percent. Increasingly, encryption is becoming a boardroom-level issue.
It’s no coincidence that this rise in influence on encryption strategy among business leaders mirrors the rising number of massive data breaches impacting high-profile companies. Just last year, for example, web giant Yahoo! admitted that data of nearly one billion users was stolen in what could be the world’s largest-ever publicly disclosed breach.
With such devastating effects to a company’s bottom line and reputation, as well as a considerable loss of customers, the risk of falling victim to a data breach is undeniably keeping board members awake at night. Data privacy is now of paramount importance for businesses wanting keep valuable data – both their own sensitive data and that of their customers – out of the hands of a malicious hacker, and becoming tomorrow’s headlines.
It’s encouraging to see that data protection is increasingly making its way up the boardroom agenda. Today, the stakes are too high for an organization to stand by and wait for an attack to happen before introducing measures such as encryption that are now widely recognized as best practices to protect sensitive data. And although the balance of power in terms of driving encryption strategy has changed, the partnership between business leaders and IT operations to ensure that encryption and associated lifecycle management of encryption keys is done well is paramount.
In the coming months, Thales will be issuing new, region-specific editions of our Global Encryption Trends Study. Continue to check back for the latest in encryption trends from around the globe.