Is this one of those cases where that old saying: `there are none so blind as those that cannot not see’, is proven to be more than a little true?
Despite the number of occasions that the very minimum standard of security practice – if data moves, encrypt it – is shouted from the roof tops, a recent survey organised by data-centric encryption and tokenisationspecialist, Voltage Security, reveals that many organisations are still sending sensitive data outside of their organisation without any form of encryption. Despite the many headline-making breaches that have called attention to the importance of data encryption, nearly 36 percent of IT security professionals admit to this as regular practice.
"This statistic is cause for alarm, particularly given that encryption provides protection for companies against cyber criminals, competing companies and even Governments; it is the key to keeping sensitive data away from prying eyes," said Terence Spies, CTO at Voltage Security. "Encrypting data at the source means that hackers or malicious actors will not be able to see or use the information, even if they do manage to intercept it."
It can only be assumed that if security professionals don’t bother with encryption of sensitive data in transit then the thought probably never even occurs to a much higher percentage of business professionals, who rely on security professionals to at least tell them what to do, if not actually manage the processes for them.
The survey was conducted at a recent European IT security exhibition and looked at the attitudes of more than 200 IT professionals towards encryption, big data security and EU data privacy regulations.
Worryingly, the survey also showed that almost half of respondents indicated that they are not de-identifying any data within their organisations. The ability to `de-identify’ information, by employing standards based encryption technologies such as Format Preserving Encryption (FPE), provides very effective mechanisms to secure sensitive data, as it is used and managed at the personal and professional level.
“This inherently provides an underlying foundation for data privacy, ensuring not just that the data itself is secure, but also that the information can only be accessed and used by authorised users and the specific intended recipients,” Spies said.
Discussions surrounding data residency, lawful intercept and protecting data from advanced threats have been top of mind for many years. While recent stories shine a spotlight on the risks to data, including theft and extortion, the need to both protect data from inadvertent risk while ensuring the business isn't constrained is a clear problem every business needs to solve.
“The good news is that breakthroughs in data protection in the last few years have made it possible to achieve the highest levels of security while maintaining business continuity - even across complex global enterprises. Our customers, who span many countries and industries, want to ensure that they are complying with all applicable laws, while not relinquishing their ability to provide the high level of protection of sensitive information that their customers demand of them and privacy mandates require. It is encouraging to see that three-quarters of those we spoke to at Infosecurity are aware of these data residency requirements and laws.
"Data-centric security techniques permit this fine-grained protection of sensitive information which means the protection stays with the data wherever it goes, even if it is intercepted, because it is encrypted at the source. This puts the company in control of the privacy over its data assets, while ensuring it can stay compliant with privacy regulations and keeps the business running smoothly,” concluded Spies.