26 September 2015

Data breaches in 2015 are at record level. By September 22, 2015 the Identity Theft Resource Center (ITRC) identified 563 data breaches with 150,196,896 records compromised in total. The number of compromised records is nearly twice as high as in 2014, where 85,611,528 records were breached in total.

Encryption is recommended as a means of choice for protection against data breaches and theft of intellectual property as well. Friday evening, I attended the SC Magazine WebCast “Creating an Encryption Strategy for Modern Risks Mitigation”. David Shackleford and Charles Goldberg are drafting a “Encryption Everything” strategy for all company internal information irrespective of whether it is stored on premise of in a cloud.

The idea of ‘encryption of everything’ has a certain charm and, if well implemented, will avoid that internal information is useable outside the encryption key perimeter of a company. But it is dangerous to assume that encryption of everything will prevent data breaches.

The problem with encryption comes always from the users who are authorized to access the information. And the big question is always how an authorized user can be uniquely identified.

It’s not easy to answer the question, whether an authorized user is signing in to your system or a cyber attacker with the credentials of an authorized user because in both cases the event log will only show a successful sign-in attempt of a user.

Encryption plays an important role in a company’s security strategy. If used as isolated protection measure, it’s just waste of money.

Have a good weekend!