This month, the Australian financial services group, Latitude Financial, revealed a data breach that resulted in the personal details of up to 8 million customers being stolen. It’s common to hear public statements from companies that have suffered a breach claiming they were using encryption to show they take data privacy seriously. However, whether the executives making these statements are misinformed or deliberately misleading, saying “we use encryption” doesn’t tell us anything about an organization’s strength of data privacy defenses.
Language is imprecise, and the meaning of words can change based on context. Encryption is a mathematical technique for disguising data and is widely used to protect everything from hard disks to email messages. It’s highly effective at protecting data in a local context, but the challenge for organizations is ensuring there are no gaps. Implementing effective data protection is like building a dam wall to hold back water. Simply having some big concrete blocks isn’t enough if the water can flow through the gaps.
For business leaders considering the vulnerability of their organizations, it’s essential to differentiate between “tick in the box encryption” and effective data privacy control. To illustrate this point, imagine going on holiday and locking up your house. You might lock the garden gate, but you’d be crazy to leave the front door unlocked or the windows open. The ideal scenario is where the house is locked up tight, and only a few people have access to the keys.
A couple of simple examples highlight the slipperiness of the statement “we have encryption.” You can encrypt a computer disk at the full-disk or volume-level, which is similar to padlocking the garden gate – better than nothing, but not particularly useful. Once unlocked, anyone can access the contents. You can encrypt an entire database, but if you store the encryption keys on the same server, an attacker can steal both if they can access the server. Alternatively, an attacker might find copies of the data sitting in a development database, report files stored on a file server, or desktop.
When it comes to protecting a large organization, we’re not locking a single house; we’re trying to secure a massive building with lots of different spaces, introducing a whole new level of challenge when trying to secure data everywhere. Can you encrypt every system, every device? Is your encryption protection a “garden gate” or a “safe within a locked room inside a secure building”? Are you centrally managing and protecting your encryption keys separately from your data? Are you able to restrict the ability of your IT organization to bypass data privacy controls? Addressing these kinds of challenges takes us into the realm of enterprise encryption management systems, an entirely different beast.
So, next time a CEO stands up and states their confidence in their organization’s preparation to resist data breaches because they use encryption, take the time to dig deeper and find out if they’ve really invested in strong security or have merely locked the garden gate.