Randtronics Logo

Latitude Finance – Locking the garden gate

This month, the Australian financial services group, Latitude Financial, revealed a data breach that resulted in the personal details of up to 8 million customers being stolen. It’s common to hear public statements from companies that have suffered a breach claiming they were using encryption to show they take data privacy seriously. However, whether the executives making these statements are misinformed or deliberately misleading, saying “we use encryption” doesn’t tell us anything about an organization’s strength of data privacy defenses.

Language is imprecise, and the meaning of words can change based on context. Encryption is a mathematical technique for disguising data and is widely used to protect everything from hard disks to email messages. It’s highly effective at protecting data in a local context, but the challenge for organizations is ensuring there are no gaps. Implementing effective data protection is like building a dam wall to hold back water. Simply having some big concrete blocks isn’t enough if the water can flow through the gaps.

For business leaders considering the vulnerability of their organizations, it’s essential to differentiate between “tick in the box encryption” and effective data privacy control. To illustrate this point, imagine going on holiday and locking up your house. You might lock the garden gate, but you’d be crazy to leave the front door unlocked or the windows open. The ideal scenario is where the house is locked up tight, and only a few people have access to the keys.

A couple of simple examples highlight the slipperiness of the statement “we have encryption.” You can encrypt a computer disk at the full-disk or volume-level, which is similar to padlocking the garden gate – better than nothing, but not particularly useful. Once unlocked, anyone can access the contents. You can encrypt an entire database, but if you store the encryption keys on the same server, an attacker can steal both if they can access the server. Alternatively, an attacker might find copies of the data sitting in a development database, report files stored on a file server, or desktop.

When it comes to protecting a large organization, we’re not locking a single house; we’re trying to secure a massive building with lots of different spaces, introducing a whole new level of challenge when trying to secure data everywhere. Can you encrypt every system, every device? Is your encryption protection a “garden gate” or a “safe within a locked room inside a secure building”? Are you centrally managing and protecting your encryption keys separately from your data? Are you able to restrict the ability of your IT organization to bypass data privacy controls? Addressing these kinds of challenges takes us into the realm of enterprise encryption management systems, an entirely different beast.

So, next time a CEO stands up and states their confidence in their organization’s preparation to resist data breaches because they use encryption, take the time to dig deeper and find out if they’ve really invested in strong security or have merely locked the garden gate.

Letter from the CEO

Rantronics Logo

Thank you for visiting the Randtronics website.

We make enterprise encryption easy.

Smart businesses already know that only encryption can reduce the attack surface and stop the hackers from stealing their sensitive data. A company that only uses encryption is more secure than a company with all other cyber security measures. Privacy standards such as PCI DSS, HIPAA, and GDPR are all mandating in law the protection of the citizen’s personal data. Fines for breaches are huge. You won’t get fined if your firewall is hacked. You won’t get fined if you suffer a virus or ransomware attack. You WILL get fined if you lose ANY personal data pertaining to ANY citizen. The lowest common denominator is the DATA. Data that is “Encrypted” is out of the scope of the Law.

Whilst all understand the need to protect sensitive data holistically (such as NIST Cyber Security Framework or 12 prescriptive PCI DSS guidelines) their cyber security priorities are misguided to say easy aspects and not addressing “what happens” when these fail? Encryption of data is the only direct protection measure that renders data unreadable compared to upgrading firewalls or virus and malware, IPS, log monitoring, etc. I am saying you need all methods but unless you have implemented enterprise grade encryption you are still unprotected like driving a car without “seatbelts”. “Enterprise grade encryption” as a cyber measure is the “seat belt” that saves lives in car accidents. Industry experts predict a relentless continuation of data breaches this year and penetration testing have proven perimeter defense is easily penetrable.

Randtronics has taken the challenge to make encryption easy and is innovating in many areas. We have already reduced deployment effort to days, use familiar standard components so that less skilled people can deploy and maintain systems.
I welcome discussions via email or phone as through your feedback we will be challenged to continue to innovate to the point where businesses and users do not need to be intimidated when using encryption as the worlds most powerful tool to protect their sensitive data.

Experts predict data breaches will continue at relentless pace, let Randtronics secure your business with “Enterprise grade ubiquitous encryption technology”. Time is of the essence. Why not be pro-active? I invite you to let Randtronics and its global distributors and resellers assess and assist your business directly.

Yours sincerely,
Bob K Adhar, BE, MBA, CISSP
Founder and CEO