Breach Prevention Is Dead, Encryption Is King

It’s time that executives and information security professionals accept the fact that their companies will be breached and start thinking outside the box when it comes to data security.  To be in denial of this truth is to not accept reality.

Indeed, based on what happened last year, 2014 should go down as a tipping point for how companies approach data security for years to come.

Some of the biggest companies in nearly every major industry were breached in 2014, from Moonpig and JP Morgan Chase to Sony Pictures. According to the Breach Level Index, there were 1,540 reported data breaches worldwide last year, nearly a 50 percent increase compared to 2013.

Inevitable breaches

What’s even more troubling is that the amount of information being stolen has increased dramatically.  Nearly one billion data records were either lost or stolen last year, representing a 71 percent increase compared to 2013.

The reality is that no matter how much money and time is spent protecting information and assets, cybercriminals will always find a way past perimeter defences.   Last year, we had more than 1,500 examples of this.

They targeted vendors in order to insert malware in retail companies’ point-of-sale systems.  They went after employees with social engineering attacks and stole corporate log-in credentials. The list goes on and on, and with increasing frequency and effect.  Here is a statistic to consider.  The number of data breaches involving 100 million customer data records or more doubled in 2014.

Yet, despite the growing size of data breaches, the vast majority of companies still continue to rely on breach prevention as the foundation of their information security strategies.  This means they focus on building walls around the data perimeter security technologies and monitoring those walls for intruders.  Unfortunately, this approach has not been working very well.  Maybe it’s time for a change.

A New Mindset for Data Security

How do we change the status quo and usher in a new era where it is possible to have a secure breach with an approach to security that keeps valuable assets secure even when hostile intruders have penetrated the perimeter?

First, companies need to understand why they are not winning the war against hackers and cybercriminals. Because they stubbornly adhere to Einstein’s definition of insanity: doing the same thing over and over again and expecting a different outcome. In this case, that same thing is responding to breaches by investing disproportionate sums of money in perimeter defences in a futile attempt to prevent breaches.

Second, companies should stop pretending they can prevent a perimeter breach.  They should accept this reality and build their security strategies accordingly.  Admitting a problem is the first step in the road to recovery.  It’s very likely that companies are spending 90 percent of their security budgets the same way they did back in 2005, which undoubtedly focuses on perimeter and network defences.

Now, this isn’t to suggest that organisations should stop investing in key breach prevention tools. What they need to do is place their bets on strategies that protect their most valuable assets. Just like the military, IT should always presume to be functioning in a compromised state.

The third step is protecting your company by making it so difficult to access what they crave that they give up and move on to someone else. In business terms, you create a very poor return on their investment in trying to steal your data.  However, you don’t do it by building a bigger wall around your house.  Cybercriminals will simply build a bigger ladder.

Encryption

So, how do you do this? First, you put yourself in the mind set of your adversary and understand what they want to steal from you – and this is always your data. From there, you’ll quickly realise that security must be moved closer to what really matters – the users who access the data and the data itself. Obviously, this means stronger user access controls and encryption.

Multi-factor authentication and user access controls ensure the identity of the user and restrict access to data only to those individuals who have the rights to it.

Ultimately, however, it is encryption that is the real ROI killer for any would-be attacker. By attaching the protection to the data, you’re killing the value of the data once a breach has taken place, and you’ve made the breach largely benign since no data has truly been compromised.

If more companies moved away from breach prevention toward securing the breach with encryption, then more consumer data and sensitive information would be safer and breaches would not be so serious a matter.

Jason Hart is vice president of Cloud Solutions for Identity & Data Protection at Gemalto