Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

The Encryption Advantage: Simple Steps to Protect your Valuable Information

Data breaches can be costly to a company’s bottom line and reputation. Organizations should be motivated to protect sensitive data with encryption.

Data breaches can be costly to a company’s bottom line and reputation. Organizations should be motivated to protect sensitive data with encryption.

Epsilon, a company that conducts e-mail marketing campaigns, isn’t a household name, but its clients are: Best Buy, Kroger, Hilton and Marriott hotels, Target and Walgreen’s, just to name a few. Epsilon got a black eye and 50 of its 2,500 clients had to do damage control when its computers were hacked and e-mail addresses of those client’s customers were exposed. All the ensuing anxiety and negative publicity could have been avoided if Epsilon had encrypted the e-mail address data. It’s a relatively easy solution to avoid a big problem.

Given the hundreds of data breaches reported annually, organizations should be well motivated to take the necessary steps to protect sensitive, valuable and regulated data by protecting it with encryption, but a troubling number of companies don’t. When data is encrypted, even if it’s exposed to hackers, they can’t do anything with it because without the proper encryption keys and credentials, accessing the data is nearly impossible.

Database Encryption

The Epsilon breach, first reported March 30, 2011 was relatively harmless but it could have been much worse. Epsilon responded quickly and appropriately by acknowledging the breach and the fact that tens of thousands of e-mail addresses of consumers had been exposed. A number of their clients, such as the providers of the Hilton and Marriott hotel rewards programs, warned their customers of the breach and urged them to be on the lookout for dangerous and costly phishing attacks—fake e-mails designed to look like they’re from legitimate businesses. An unsuspecting recipient may click on a link in the e-mails only to discover they’ve just downloaded a malicious payload through their browser that could steal passwords or other personal information. Epsilon said only e-mail addresses were stolen, not names and addresses or credit-card numbers. It’s unknown if that’s because that data was encrypted. If it was, it begs the question of why e-mail addresses weren’t also encrypted and therefore protected.

The most important thing about encryption is that in most cases, it shields a company from having to disclose a data breach that can bring embarrassment, brand damage and, ultimately, harm to their customers. Most of the 50 states have adopted breach notification laws, but 42 of them have an exception allowing companies to avoid having to disclose a breach if the data exposed was encrypted. The language in the Arizona breach notification law is typical: “[The law] excludes data that is redacted or secured by other methods rendering data unreadable or unusable from notification obligations.”

Data breaches can be costly not just to a company’s bottom line but to its reputation. The Ponemon Institute published a study this year that places the average cost of a breach at $4 million per incident based on a study of breaches in the U.S., Germany, France, the UK and Australia. This number is significant and represents an 18 percent increase from 2009. That includes the cost of detection and response to the breach, the cost of customer notification, lost business and follow-up responses. The cost per compromised record was $156, up 10 percent from 2009. However, the United States had the most expensive costs per incident and per compromised record at $7.2 million and $214, respectively. Lost business is the most expensive cost of a breach, according to Ponemon, as trust is lost and customers take their business elsewhere.

On the bright side, the report shows that U.S. companies were driven by regulatory compliance to invest more in prevention, including deploying more encryption: “2010 marked the first time that regulatory compliance surpassed data breach mitigation as the main driver behind U.S. companies’ implementation of encryption technologies.” However, the Ponemon study exposed an acute lack of preparedness by organizations to protect against a breach “can lead a company to become a first-time breach victim.” In other words, advanced preparation should precede recovery and notification plans. Encryption technologies render sensitive data unreadable by transforming the data using a mathematical algorithm that renders the data unreadable unless the user has the appropriate digital key to decrypt and access it. In most cases, a public or asymmetric key encrypts the data and a private key is needed to decrypt the data. The private key is only available to the person or persons allowed to use it to decrypt the data in motion as it moves within and beyond corporate networks including to the cloud and mobile devices. Besides using encryption to protect the data, another critical part of a security policy is to protect the private keys. The keys must be securely stored on the customer’s premises or with a trusted third-party service.

The Sony PlayStation Network case provides a lesson in how encryption can take some of the sting out of a breach. Sony suffered the embarrassment of having hackers break into the network in April 2011, shutting it down for three weeks and exposing personal information about its 77 million subscribers. However, Sony said that while credit card numbers were stolen, that data was encrypted so it was of no use to the cybercriminals. Sony reported that the cost to recover from that breach was $171 million. Had the thieves obtained the credit card numbers, the costs would have been much higher.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.