IT

SPOTLIGHT ON SECURITY

Breach Outbreaks Fuel Encryption Adoption

As data breaches make headlines around the world, more companies are turning to encryption to protect their information jewels. That is one of the findings in a study released Monday, conducted by the Ponemon Institute and sponsored by Thales E-Security.

“Mega breaches and cyber attacks have increased companies’ urgency to improve their security posture,” says the report, which is based on a survey of more than 4,000 IT and security professionals in 10 countries.

Only 15 percent of the respondents said their businesses didn’t have an encryption strategy, the researchers found.

Moreover, encryption has begun to show up on the boardroom radar.

“While IT continues to have the most responsibility for defining the company’s encryption strategy, lines of business are becoming more important,” notes the report. “This could be due in part to companies permitting greater use of employee-owned devices and an increase in the consumerization of IT.”

Antidote for Bad Security

Also bringing encryption to the top-of-mind of executives are consumer concerns over privacy and the importance of meeting data and privacy mandates from governments and other regulators, according to the report.

“Encryption, in some ways, is the antidote to bad security,” said Richard Moulds, vice president for strategy for Thales E-Security. “If you believe there’s a risk that data will be lost from your business, then encryption is your backstop. If you lose encrypted data, then the impact is minimized and may even be zero.”

Moreover, encryption can exempt a company from breach notification requirements in many parts of the world.

“They give you a ‘get out of jail free’ card if your data is encrypted,” Moulds told TechNewsWorld.

That’s reflected in the survey findings, too, as only 22 percent of the respondents believed they would need to report a breach in which encrypted data was stolen.

As more organizations embrace encryption, however, they’re finding it’s not the set-it-and-forget-it technology they may have thought it was.

Pain in the Keys

A major sore point for many organizations employing an encryption strategy is key management. More than half of the survey respondents (56 percent) said managing keys or certificates was a pain point for them.

The top reasons for the difficulty, according to those surveyed: no clear ownership (58 percent); isolated and fragmented systems (50 percent); and lack of skilled personnel (47 percent).

“Keeping hold of keys, deciding who has access to keys, escrowing, backing up and recovering these keys becomes a big organizational problem. Obviously, if you lose those keys then you’ve lost your data. You’ve scrambled it forever,” Moulds said.

“Key management is holding encryption back in some industries,” he added.

Solutions many organizations have chosen to manage their keys leave something to be desired, too. For example, 51 percent of the respondents said they managed their keys manually — in a spreadsheet or on paper.

“The issue of managing keys is still immature, and very few organizations are very well equipped to do it, even though many organizations are rushing to deploy encryption,” Moulds noted. “That’s a red flag to me.”

The Threat of Savvy Users

Much has been made in security circles about the threats posed to organizations by naive users doing such things as opening phishing mails, clicking on malicious links and opening attachments.

While those missteps continue — Verizon’s annual breach report last week found 23 percent of recipients open phishing messages and 11 percent click on attachments in them — users are getting more savvy, which can create its own security problems.

“The typical employee today grew up with technology. They love technology and they’re always trying new things, which gives you a dark Net aspect,” said Bob Hansmann, director of product security at Websense.

“There may be things being used for business in your network, and the IT people don’t know about it,” he told TechNewsWorld.

That calls for a shift in attitude by IT pros, Hansmann continued.

“They have to start engaging more with users and learn to develop a little more respect for users’ decisions. They have to become the department of ‘yes’ rather than the ‘no’ people,” he said.

“Just saying no doesn’t work, because you know your users will find a way around it,” he added. “Shadow IT disappears the moment you shine a light on it. Take it. Embrace it. Then you have the power to make it safe.”

My Dog Ate My Email

Presidential hopeful Hillary Clinton caused a hullabaloo recently by acknowledging that she stashed office email on a private server at her home. One reason claimed for the practice was the insecurity of government servers. However, it may be that the real reason public officials are avoiding their office servers is that those servers have gotten more reliable.

During the 1990s, government backup systems were indeed unreliable. At the end of the decade, hundreds of thousands of emails were lost in a backup system upgrade, to cite one example.

Such disasters could be useful to politicians when potentially embarrassing emails disappeared.

“It gave them some level of deniability,” said Kevin Weiss, CEO of Unitrends.

With the improvement of government backup systems, though, that plausible deniability becomes less plausible.

“More and more people are going to third party email to bypass government email because backups are better,” Weiss said.

Eventually, private email for office correspondence will have to be curtailed, he suggested. “There’s either going to have to be an outlawing of private accounts or some form of auditing. For anything that is business related, there is no reason to use private email unless you’re trying to evade.”

Breach Diary

  • April 13. Washington legislature approves and sends to governor bill strengthening state’s data breach law. New provisions include eliminating exemption for encrypted data and requiring consumer notification within 45 days whenever personal information compromised.
  • April 14. Annual Verizon Breach Investigation Report released. Among its findings: 23 percent of recipients open phishing messages and 11 percent click on attachments in them.
  • April 14. U.S. General Accounting Office reports hundreds of planes flying commercial flights are vulnerable to cyberattack via their online WiFi networks.
  • April 15. Target reaches tentative US$19 million settlement with MasterCard for losses to card issuers from massive data breach in 2013. Ninety percent of issuers must approve settlement before it can become final.
  • April 15. Committee on Energy and Commerce approves and sends to the U.S. House of Representatives the Data Security and Breach Notification Act, which would supercede all state data breach laws.
  • April 15. Metropolitan State University in Minnesota reports “probable” data breach in January exposed personal data of some 160,000 current and former students. About 11,000 students may have had the last four digits of their Social Security numbers compromised.
  • April 15. AppRiver releases first quarter global security report finding total spam traffic increased 38 percent from the previous quarter, while spam originating from North America and Europe accounted for 78 percent of all spam traffic for the period.
  • April 16. HSBC, formerly Household Finance, reports that personal data of some of its customers was accidentally exposed to the public Internet. Those affected by the incident include 685 New Hampshire and an undetermined number of California customers.
  • April 16. Park Associates releases research finding that 47 percent of U.S. broadband households have security or privacy concerns about smart home devices.
  • April 17. Pistachio Harvest study sponsored by the American Enterprise Institute’s Critical Threats Project and Norse Corporation finds the number of cyberattacks from Iranian-controlled systems has more than doubled in the past 15 months.

Upcoming Security Events

  • April 25. B-Sides Rochester. German House, 315 Gregory St., Rochester, New York. Free.
  • April 29. Best Practices for DDos Protection. 9 a.m. ET. Arbor Networks webinar. Free with registration.
  • April 29. SDN and NFV: Protecting the Next Wave Infrastructure. 11 a.m. ET. Arbor Networks webinar. Free with registration.
  • April 29. Dark Reading’s Security Crash Course. Mandalay Bay Convention Center. Las Vegas, Nevada. Registration: through March 20, $899; March 21-April 24, $999; April 25-29, $1,099.
  • May 6-7. Suits and Spooks London. techUK, 10 Saint Bride St., London. Registration: government/military, $305; members, $486; industry, $571.
  • May 2. B-Sides San Antonio. Texas A&M, Brooks City Base, San Antonio, Texas. Fee: $10.
  • May 9. B-Sides Boston. Microsoft 1 Cambridge Center, Cambridge, Massachusetts. Fee: $20.
  • May 13. SecureWorld Houston. Norris Conference Center, Houston, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • May 14. B-Sides Denver. Society Denver, 1434 Blake St., Denver, Colorado. Free.
  • May 27-28. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), 2 Galleria Parkway Southeast, Atlanta. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Registration: through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300; June 1-Aug. 31 — $995, $1,250, $1,045, $350; Sept. 1-Oct. 1 — $1,095, $1,350, $1,145, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • I agree that "The top reasons for the difficulty are isolated and fragmented systems and lack of skilled personnel."

    Ulf Mattsson, CTO Protegrity

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in IT

Technewsworld Channels