#HowTo: Eradicate Plaintext Data Breaches

Written by

Data breaches rose 68% in 2021, with large amounts of sensitive data being stored unencrypted. Overall, the amount of data collected and held about individuals is growing exponentially, and encryption is the best tool that we have to keep the data safe.

In the fragmented cybersecurity landscape, larger organizations must deal with a myriad of vendors. The main focus for these organizations is stopping attackers from accessing internal networks. This prevention strategy only gets you so far, and organizations should adopt an ‘assumed breach’ mentality, focusing on protecting sensitive data within their infrastructure.

Why All Data Must be Encrypted

When humans become involved in deciding what data to encrypt, the opportunity cost of implementing encryption immediately influences their decisions.

Developers have to implement the encryption themselves, and dealing with a variety of data types makes the engineering lift heavier. This heavy use of time and resources means that developers encrypt only the most sensitive data (if at all) instead of encrypting everything. 

Data sensitivity varies, from payment details to phone numbers and birthdays. However, to someone suffering from the impact of a data leak, all leaked information is sensitive. When a company gets breached, the emotional response of employees and customers is the same whether the attacker gained access to card details or email addresses. Therefore, encrypting everything, regardless of which data is deemed sensitive, is the best way to secure against data leaks. 

Making Ransomware Less Appealing

Ransomware is painful for organizations in two ways. The first is the business continuity cost. The WannaCry cyberattack on the NHS is a perfect example, ​​with more than 600 NHS organizations affected, including 34 hospitals that had to cancel 13,500 outpatient appointments. Although the malware was thwarted within just 12 hours, it still cost the NHS around £92m in direct costs and lost output.

The second is the ransom payment itself. According to the WEF, the average ransomware demand by cyber-criminals is £170,000, making it a lucrative business as long as the data within the hack is in plaintext. If a ransomware gang only has access to encrypted data, however, victims are protected because the data is no longer valuable to those who threaten to sell it if the ransom is not paid. When an organization encrypts its data, it mitigates the ransom component of a ransomware attack. 

Businesses still have to worry about the business continuity side of a cyber-attack, but encryption effectively halves the cost because they’re not dealing with fines for data breaches or lawsuits. 

Plaintext Data Breaches

Open-source encryption is a great start for eradicating plaintext data breaches, but the biggest bottleneck is around who protects the encryption keys. If a security team implements encryption themselves, they store the keys and the encrypted data. In this scenario, a relatively unsophisticated attacker (including the threat of internal attackers) can put the two together and decrypt the sensitive data. 

To overcome this problem, organizations should allow an external party to store the keys in one place, and then they can store the sensitive data in an isolated part of the network. In this scenario, both the data center and the keyholder would need to be breached for a cyber-criminal to access and decrypt the data.

Allowing an external party to be custodians of the keys while the organization stores the data gives companies and developers the tools to encrypt all of their data – increasing security without increasing the engineering lift. 

Organizations that encrypt everything can protect sensitive information even in the event of a data leak, making encryption one of their most important security tools. No matter how insecure your infrastructure is, the data is secure. If everything’s encrypted, the risk of a potential breach diminishes and storing an encryption key with an external party adds an extra layer of data security. 

What’s hot on Infosecurity Magazine?