Fortifying data security with advanced technology

As the repercussions of numerous high-profile data breaches endure, Andrei Stoian at Zama discusses the urgent need for information security decision makers to use robust encryption and protection methods

 

Unfortunately for today’s businesses, the risk of financially motivated cyber-incidents, especially ransomware and extortion, is more pronounced than ever. 

 

According to Verizon’s 2024 Data Breach Investigations Report (DBIR), there has been a substantial growth of attacks involving the exploitation of vulnerabilities as an initial access step. At 14% of all breaches, it’s almost triple the amount from last year’s report, which will come as no surprise to anyone who has been following the effect of MOVEit and similar zero-day vulnerabilities. 62% of financially motivated incidents also involved ransomware or extortion, with a median loss of  $46,000 per breach - a potentially devastating figure for any small to medium-sized enterprise (SME).

 

These statistics see businesses face a stark reality. Because cyber-criminals are increasingly adept at finding and leveraging weaknesses in software and systems - often zero-day vulnerabilities that some businesses may not even know they have - shifting from a reactive to a proactive cyber-security approach is essential. 

 

Who is most at risk?

While the protection of sensitive information has become a critical concern for all businesses, recent studies have highlighted certain industries are more vulnerable than others, including manufacturing, education and healthcare. 

 

The latter of these has been a persistent target this year and is of particular interest when it comes to data protection. That’s because, alongside the potential financial implications of a breach, healthcare also has people’s lives to worry about, with cyber-criminals attracted to the critical data and the chance to exploit the life-threatening nature of service disruption. 

 

Take the 2023 breach of 23andMe, which exposed the personal profile and ethnicity information of nearly 6.9 million users. Despite the 23andMe breach being over a year ago now, and the fact that some ransomware groups have even publicly stated that they avoid targeting healthcare organisations, the fallout from the 23andMe breach continues to pose significant concerns for affected users, all while further attacks continue to take place. In fact, over 14 million patients have been affected by malware attacks on U.S. healthcare organisations, with 91% of these breaches involving ransomware, this year alone. 

 

While 23andme is just one of several instances where DNA and ancestry websites have been hacked, exposing sensitive personal data, the risk of privacy invasion, targeted discrimination, and identity theft to so many people has made it a particularly alarming case that should serve as a stark reminder to all businesses about the critical need for robust cyber-security measures.

 

Advanced solutions for data security

Alongside cyber-security awareness training, multi-factor authentication (MFA), regular vulnerability assessments, and endpoint protection,  encrypting data is essential to protect sensitive information from unauthorised access. 

 

As data breaches and cyber-attacks become increasingly common, ensuring privacy through encryption helps prevent misuse of personal data, financial loss, and potential harm to individuals’ security. 

 

The following technologies not only minimise the risk of data exposure but also empower organisations to leverage sensitive information for research and personalised healthcare without compromising user privacy:

 

End-to-end encryption (E2EE): Considered a more traditional encryption method - and one that’s widely used at the moment - E2EE allows only authorised parties to decrypt and view the data.

 

However, E2EE requires data to be decrypted at the destination in order to be processed or analysed. This means that while the data is protected during transmission, it is vulnerable at the decryption point, which can be an entry point for potential cyber-criminals or insiders with access to the decryption key.

 

Fully Homomorphic Encryption (FHE): FHE allows encrypted data to be processed without ever being decrypted. This groundbreaking approach ensures that sensitive data remains encrypted throughout the entire process, minimising the risk of exposure or unauthorised access.

 

Take DNA testing platforms as an example - they analyse your genetic data in the clear, leaving it vulnerable to hacks. But by using FHE for DNA data, companies can provide personalised insights, such as health recommendations or ancestry information, while maintaining the highest standards of privacy. Users can be confident that their sensitive genetic data remains secure and is never exposed during the analysis, even to the service provider itself. This is a major leap forward in ensuring privacy for DNA testing and related services.

 

Secure Multi-Party Computation (MPC): This technology complements FHE by enabling collaborative protocols that allow multiple parties to jointly compute data without revealing it to each other. For example, a user can maintain control over their data encryption, while a designated entity can perform analysis on the encrypted data without ever seeing or accessing the raw information.

 

This collaborative approach ensures privacy and security, even when multiple entities are involved in the data processing or analysis.

 

Differential privacy: A privacy-enhancing, technology-backed technique that adds controlled noise to data, allowing organisations to analyse trends without exposing individual records. Paired with encryption, these technologies minimise the risk of data exposure, empowering sectors like healthcare to leverage sensitive information for research and personalised treatments without compromising user privacy.

 

Securing data isn’t just about simply protecting information. The end goal is to enable businesses to leverage valuable, sensitive data, while safeguarding the future of industries and the people they provide services to.

 

With cyber-threats growing more sophisticated by the day, implementing advanced security technologies, such as FHE and MPC - alongside a suite of cyber-security practices - should be the decisive path forward.

 

Remarkable progress has already been made in this direction, as proved by recent applications. MPC has been deployed to secure record linkage for healthcare services, and Apple has enabled FHE-based use cases like Caller ID spam classification and place recognition.

 

This proves that these technologies are attractive for organisations and businesses with their ability to effectively combine security and the ability to use the data.

 

---

 

Andrei Stoian is ML Director at Zama

 

Main image courtesy of iStockPhoto.com and MF3d