An Apple-commissioned report this week has highlighted once again why analysts have long recommended the use of end-to-end encryption to protect sensitive data against theft and misuse.

The report is based on an independent study of publicly reported breach data that a professor at the Massachusetts Institute of Technology conducted for the tech giant. It showed that ransomware campaigns and attacks on trusted technology vendors contributed to a sharp increase in data breaches and the number of records compromised in these breaches over the past two years.

Billions of Compromised Records

In 2021 and 2022, data breaches exposed a staggering 2.6 billion personal records — some 1.5 billion of them last year alone. That number will likely be even higher in 2023 if trends so far this year are any indication.

The total number of data breaches in the first nine months of 2023 alone is already 20% higher than the total for all of 2022. Corporate and institutional breaches exposed sensitive records belonging to some 360 million people through the end of August 2023.

Data from IBM’s 2023 Cost of a Data Breach and a separate Forrester research study, quoted in the Apple report, showed that 95% of organizations that experienced a recent breach had experienced at least one other previous breach. Seventy-five percent had experienced at least one data compromise incident in the previous 12 months.

Ransomware and vendor attacks contributed in a major way to the sharp increase in data breaches and resulting compromise of sensitive records. The number of ransomware attacks in the first nine months of 2023, for instance, was 70% higher than the same period in 2022. Some 50% more organizations reported experiencing a ransomware attack in the first half of 2023 compared to 2022, and the number appears to be trending even higher in the back half of the year.

The study also found that 98% of organizations currently have a relationship with a technology vendor that has experienced at least one recent data breach. Examples in the report of breaches involving vendors and vendor technologies that had an impact on a broad number of organizations and individuals include ones at Fortra, 3CX, Progress Software, and Microsoft.

“This rising threat to consumer data is a consequence of the growing amount of unencrypted personal data that corporations and other organizations collect and store, particularly in the cloud,” Apple said in its report. “Organizations can reduce the likelihood of hackers using or selling their consumer data by encrypting data stored in their networks, making it only readable by those who have the key to decrypt it.”

Breaches Heighten Need for Encryption

The need for organizations to encrypt data — while it is in use, in transit, and at rest — is a long recognized issue. Few dispute the effectiveness of data encryption in protecting stolen data against misuse and in rendering stolen data useless to those who steal it. Several regulations and industry mandates — such as PCI DSS, HIPAA, GLBA, and the EU’s GDPR — require or recommend encryption, especially for stored data and for data in transit.

“Encryption stands as a formidable defense against unauthorized access to sensitive information,” says Demi Ben-Ari, CTO and co-founder of Panorays. Encryption makes data unreadable to unauthorized parties, greatly reducing the risk of data exposure even in the event of a data breach, he says. “The strength of encryption in making stolen data useless highlights its crucial role as a basic protective measure.”

Even so, many organizations — as Apple’s study and that from others suggest — have continued to drag their feet on data encryption for a medley of reasons. These include the perceived complexity of encryption systems, the potential cost involved, concerns over performance impacts, and a lack of in-house expertise to manage encrypted systems effectively, says Craig Jones, vice president of security operations at Ontinue.

A Moderate-to-Difficult Challenge

“Implementing end-to-end encryption can range from moderately difficult to very challenging, depending on the organization’s size, existing infrastructure, and the types of data being encrypted,” Jones says. “It requires careful planning, investment in the right tools and technologies, and often a cultural shift in how data security is perceived and managed.” Often organization can run into problems related to key management, which is a major issue because losing keys can mean losing access to data permanently. Organizations also need to consider potential performance impacts related to encryption and ensure compatibility with existing systems and formats, Jones says.

The rapid and growing adoption of cloud computing is another factor that organizations need to factor in when considering encryption plans. Data that Apple’s study reviewed showed that 80% of breaches involved data stored in the cloud. Encrypting such data can be more challenging than encrypting data on premises.

Organizations that have good security practices usually have full visibility over their legacy networks, says Ken Dunham, director of cyber threats at Qualys. “But when they migrate to cloud, they often lose the ability to have similar controls, visibility, management, and operations to address the pros and cons of encryption in action.” The need for organizations to maintain a hybrid network of legacy and modern technologies while they complete digital transformation initiatives adds another layer of complexity, he adds.

One mistake organizations can make is relying solely on cloud providers for data encryption, Ben-Ari says: “While cloud providers offer valuable security measures, organizations must assume direct responsibility for encrypting their data.”

He recommends that organizations prioritize technologies that are user-friendly to facilitate smooth integration; phased implementations can further minimize disruption to daily operations.

And finally, he recommends that organizations take advantage of the shared responsibility model that many cloud providers and leading SaaS vendors offer that allow organizations to give users many advanced encryption features at the click of a button.

Source: www.darkreading.com