Comment: There’s Much to Learn from Recent Data Security Breaches

"What’s needed is a more robust approach involving end-to-end encryption across all access points, and securing and protecting the data itself", says Jason Hart
"What’s needed is a more robust approach involving end-to-end encryption across all access points, and securing and protecting the data itself", says Jason Hart
Jason Hart, SafeNet
Jason Hart, SafeNet

From mid- 2011 on, a string of high-profile data breaches shook the reputations of several major brands. Sony, Epsilon, Steam and even Nasdaq found themselves pulled into the spotlight in a heated debate about how seriously organizations took information security.

Many people talked about how the 2011 breaches could be the catalyst for change in data protection. But, a year later, it seems that organizations are still struggling to ensure that their IT security strategies are up to scratch. With LinkedIn, Last.fm and eHarmony being some of the latest victims of hacking attacks, it becomes increasingly important to revisit the events from last year and reassess what organizations have learned from the security breaches.

Because businesses strongly depend on users’ trust, data security should be on the top of their agenda, forcing them to adopt strict security standards. However, recent security incidents beg the question: Is this really happening?

Whereas security breaches are hard to prevent, it is important that organizations understand the need to deploy effective security measures to ensure user privacy and company data are adequately protected. The reputational and financial consequences of a security breach are far too damaging for any brand to ignore.

Nevertheless, it seems that organizations are not going the extra mile to ensure their data protection strategies are effective enough in preventing security threats.

With cloud and work mobility forcing businesses to ward off attacks on multiple fronts, it becomes increasingly difficult to establish consistent security strategies across all access points. We recently did some polling on the security strategies adopted by enterprises and found that the majority of IT manager respondents were not utilizing encryption beyond IT systems’ endpoints to encrypt the actual data and information held inside the perimeter walls. These findings suggest that IT managers are not adopting comprehensive encryption technology to secure core data and systems. This is surprising, especially in the light of recent data security breaches highlighting the poor deployment of basic encryption standards within large organizations.

In fact, a recent report by the Verizon Risk team revealed that 97% of the breaches in 2011 were avoidable, and the majority of them were not even highly sophisticated attacks. What’s even more alarming is that 68% of these incidents involved attacks on core data servers that provide access to the most sensitive information within organizations.

So why are businesses still struggling to meet basic security standards? Quite often it is a misunderstanding that encryption needs to be applied only to highly sensitive information, such as financial data and intellectual property assets. What’s been overlooked in the past few years is the increased role of soft user data – such as personal details and social information – as one of the most common targets for cybercriminals. With more and more data being shared online, organizations need to wake up to the need for encrypting all data, not only financial details.

Lack of understanding about security risk is another issue that needs to be addressed by organizations looking to improve their security strategies. Encrypting only the end points of the perimeter is no longer effective in providing reliable security. What’s needed is a more robust approach involving end-to-end encryption across all access points, and securing and protecting the data itself. There is no excuse for businesses that fail to deploy comprehensive encryption, as effective cryptography solutions are available and proven to work.

By encrypting all data at the time of generation and throughout its full lifecycle, businesses will be able to ensure user privacy and safeguard valuable data regardless of where it resides – whether on a data server or in the cloud.

Another important step in ensuring strong data protection is the management of the security keys. By storing the encryption keys in hardware, outside the virtual environment, organizations can ensure sensitive data cannot be compromised even if it falls in the hands of cybercriminals. What’s even better about this approach is that it provides an additional layer of security that can be extended to all data and applications available on-premise and in the cloud.

These steps, coupled with strong two-factor authentication, will enable organizations to stay ahead of cybercriminals in the security game.



As a former ethical hacker with 18 years of experience in the information security industry, Jason Hart has used his knowledge and expertise to create technologies that ensure organizations stay one step ahead of the risks presented by ongoing advances of cyber threats. He is currently VP Cloud Solutions at SafeNet, where he is responsible for developing the company’s authentication-as-a-service offering. Hart has published numerous articles and white papers, and continually appears on national TV, radio and in print media as an expert advisor on cybersecurity . In addition, he regularly provides advice on information security matters to governments, law enforcement and military agencies and is Vice Chairman for E-Crime Wales.

What’s hot on Infosecurity Magazine?