Encryption and Data Security Lessons Learned in 2021
The importance of data security and encryption’s role in it has never been more evident than in 2021.
Here are a few lessons and reflections organizations can use to help create a solid foundation for addressing data security with the arrival of the new year.
THE ZERO TRUST MODEL PROVIDES DATA-CENTRIC SECURITY
The Zero Trust approach to security acknowledges a sobering fact about the modern, digital age: The likelihood of a cyberattack is a certainty.
Using technologies and processes based on the Zero Trust principles of always verify explicitly, allow only least privilege access and assume a breach is in place helps protect data by removing the concept of trust from network architecture, or more precisely, limiting trust based on the data that has to be accessed. This places the onus of data protection primarily on the securing of endpoints and backend applications rather than on network protection.
The more privileges granted to users, the more the attack surface will expand. In the Zero Trust framework, all users have to be authenticated, authorized and repeatedly validated before being granted or retaining access to data and applications. They are given permissions to access only the resources necessary to conduct their work. The data, which is encrypted at rest and while in transit to devices, including cloud storage, and become accessible only to those parties with the appropriate privileges.
DATA SECURITY FOR REMOTE AND HYBRID WORKING SHOULD BE A MAIN CONCERN
Remote and hybrid workplaces have altered the attack surfaces of organizations. Even before the significant workplace shift, the influx of IoT systems and widescale use of multi-cloud environments meant that the typical organization’s security perimeter was becoming more blurred. With workers now routinely working from remote sites, the attack surface is expanding even more. However, organizations still have to provide the same level of data security protection to their workforce, regardless of the location, whether it is office cubicle, home office or a restaurant hotspot.
For almost all organizations, this has required a revamping of security policies to account for the issues that can arise when workers have to access data from a remote location. The end-to-end encryption of data transmission in the remote and hybrid has become even more of a necessity.
MORE SOPHISTICATED RANSOMWARE CREATES MORE CHALLENGES
Ransomware attacks, which doubled in frequency in 2021, stand as one of the most prevalent threats to an organization’s data security. Attacks have increased against vital infrastructures, such as healthcare providers, hospitals, pipelines and major food distributors. State-sponsored malicious actors have established a growing presence as ransomware perpetrators against large companies. And the threats have only been heightened because of the growing sophistication of the attacks and the gangs that execute them. For example:
There is a ransomware-as-a-service industry, which accounted for almost two-thirds of ransomware attacks in 2020. This, along with the widescale adoption of cloud technologies, account for why ransomware attacks have increased so much. It lowers the expertise threshold for threat actors who now do not have to a cyber expert to execute an attack.
There can be multiple extortion attempts in a single attack, making ransomware a multifaceted threat. An organization may be compelled to pay for a decryption key and then again to prevent encrypted data from being released or sold to interested parties. The malicious actor will also directly target the organization’s customers and business partners obtain another set of ransom payments.
While phishing remains a very common technique for gaining entry and the desired access privileges, threat actors have also been targeting organizations’ software supply chains to gain entry and access ransom assets. One example is the Kaseya attack.
There is no one solution or process that will stop ransomware. What will continue to mitigate the threats to data is a multilayered strategy that include sound cyber policies, MFA and hardened encryption.
EMPLOYEE CYBER AWARENESS HAS TO IMPROVE
Human error is still a significant threat to sensitive data, accounting for 85% of data breach incidents in 2021 according to one study. This underscores the importance of corporate culture placing the highest value on policies that will help create a culture of data security and privacy.
This means that the training workers receive should be mandatory, occur on a regular basis and clearly communicate how and why good cyber hygiene is necessary. The training applied should also take into account the specific roles of employees to make it engaging and relevant to the individual worker.
THE TYPE OF ENCRYPTION TECHNOLOGY USED MATTERS
Encryption is the necessary layer of data protection that helps ensure that sensitive data remains indecipherable and unusable to anyone but the authorized party. And it is important that the encryption technology organizations use is able to meet the moment in the digital age.
Many organizations still rely heavily on standard encryption solutions, such as those that employ the PKI scheme, like the SSL/TLS protocol. AES, with its 128- and 256-bit key lengths is frequently used around the world. However, these options have inherent limitations and have some vulnerabilities to MitM attacks, brute force attacks and lack crypto agility. They are also not very well suited to efficiently and quickly transmit the vast amount of data that has become the norm. Nor are the older standards easily deployable and in some cases undeployable in IoT and IIoT, where now a significant portion of the attack surfaces are residing.
The prevalence and escalation of cyberattacks in 2021, coupled with the threat quantum computing poses to solutions that employ standard encryption, underscores the urgency of using encryption technology that can safeguard sensitive data now and in the future.
The products offered by XSOC Corp, including the XSOC Cryptosystem, SOCKET, WAN-SOCKET and EBP, were created with Zero Trust principles in mind. XSOC technology:
Provides quantum-protection with a minimum 512-bit encryption strength
Is available as an SDK toolsets/API protocols, user-installable plugs and extensions or as-a-service offerings
Protects structured and unstructured data easily integrates into software or hardware infrastructure
XSOC CORP WILL CONTINUE TO PROTECT DATA INTO 2022
XSOC’s cryptography and encryption solutions are essential components of an effective data protection plan. We can help you counter the threats that await your organization’s sensitive data in 2022. Contact us today to learn how.