Dealing With The Biggest Cybersecurity Fallacy In Enterprise
There are tons of security fallacies in enterprise. But what’s the most prevalent of them all? More importantly, how do you deal with it?
If you wanted to talk shop about all the security fallacies floating around enterprise IT, it’s doubtful you’d ever run out of things to say. From remote wiping to cloud security to digital espionage, the business world is rife with misinterpretations, misinformation, and FUD-fostering stories. Of all the fallacies and falsehoods, one stands out to me above all others as the most dangerous, most prevalent, & most baffling: the idea that somehow, if data is encrypted, it’s not at risk of being compromised.
I’ve witnessed people on both side of the IT coin refer to encryption as some sort of holy grail of data protection. On one hand, every time there’s a terrorist attack or similar tragedy, politicos begin to bray about how it wouldn’t have happened if only law enforcement agencies had access to backdoors into strong encryption. On the other hand, whenever a data breach occurs, it seems like the first notion many security experts default to is that it was somehow a failure in terms of encryption – if the data had been properly encrypted, the breach would never have happened.
Here’s the thing – in 2013, a joint study by Ponemon and Symantec found that most data breaches that year were actually the result of human error.
What a lot of people seemed to forget was that the security threats facing any given organization were not entirely external – nor were they all digital. Physical loss or theft, malicious insiders, employee ignorance, and lax security standards are all threats that generally have no bearing on whether or not the information’s encrypted.
“[Encryption at rest] doesn’t help you when logical access to the system is gained through other means,” writes RELX Group’s VP of Information Security Assurance & Data Protection Aurobindo Sundaram. “For instance, a guessed or cracked password, an application level attack, or an user-level attack are all examples of this. Remember that encryption must still make data available to the user on demand, so if an attacker has the ability to become the user, you’re toast.”
“It also doesn’t help you when a user goes ‘bad,’” he continues. “There’s no way to predict this or, for the most part, respond to it. You could do strict segregation of duties and two-person controls, if you can afford it, but encryption doesn’t really help you protect against this attack either.”
Sundaram also notes – rightly so – that encryption can eventually be brute forced or cracked by a third party. It is not, as some would have you believe, unbreakable. It’s like any other security measure – there are weaknesses, if you know where to look.
The good news is that putting this fallacy to rest is quite simple. All you really need to do is think of encryption as part of a larger set of security measures designed to protect your organization’s information. Blend strong encryption with mobile device management, file-centric DRM, user education and enablement, and active vulnerability management.
Make no mistake here. Encryption is still an extremely important security measure, and a strategic cornerstone for risk-aware enterprises. At the same time, assuming that encrypting your data is the only thing you need to do in order to protect it is both negligent and foolish.
