The world may have slowed down somewhat in recent months, but cyber-attackers haven’t paused for a second. Some big names have been hit by significant data breaches during lockdown – including Twitter, which fell victim to a spear-phishing attack, Marriott International (again), and the ubiquitous Zoom platform.
Remote working is still the norm within many organisations, and will become a permanent model for some, potentially increasing cyber-risk at a time when regulatory powers grow ever stronger. Against this backdrop, organisations are increasingly turning towards the encryption of data, along with additional endpoint controls, to manage risk.
Even with appropriate security software and firewalls in place, the human threat persists. In Apricorn’s annual survey into organisations’ attitudes towards data breaches, more than half (57 percent) of UK IT decision makers said they expect remote workers to expose their organisation to the risk of a data breach. Employees unintentionally putting data at risk remains the leading cause of a data breach, with lost or misplaced devices the second biggest cause.
More and more organisations are mitigating these concerns by implementing greater data encryption and strengthening endpoint controls.
Locking down the data
When asked whether they’d seen an increase in the implementation of encryption in their organisation since GDPR was enforced, 41% of survey respondents said they had.
Legislation hasn’t taken a break over lockdown either, and data encryption a simple step towards GDPR compliance by safeguarding personal data. The regulation has clear mandates for encryption within Article 32, while Article 34 removes the obligation to individually inform each citizen affected by a data breach if encryption has been applied. Article 83 suggests that fines will be moderated where a company can show it has been responsible and mitigated damage suffered by data subjects.
The first step to ensuring data is encrypted as standard across the organisation is to enshrine the requirement in company security policy and enforce it wherever possible through technology. Two thirds of IT leaders said their organisation now has a policy of hardware encrypting all information, whether it’s at rest or in transit. Nearly all (94 percent) have a policy that requires encryption of all data held on removable media such as USB sticks and portable hard drives – a big rise from 66 percent in 2019. Of these, 57 percent use hardware encryption, which is seen as the ‘gold standard’.
Hardware encryption offers much greater security than software encryption and PIN pad authenticated, hardware encrypted USB storage devices offer additional, significant benefits. Being software-free eliminates the risk of software hacking and keylogging; all authentication and encryption processes take place within the device itself, so passwords and key data are never shared with a host computer. This makes it particularly suited for use in highly regulated sectors such as defence, finance, government and healthcare.
By deploying removable storage devices with built-in hardware encryption, a business can roll this approach out across the workforce, ensuring all data can be stored or moved around safely offline. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorised to access it.
Locking down the endpoint
With employees typically using a mix of personal and corporate devices to access data, systems and networks, businesses need to have confidence that the endpoint as well as the data is secure.
Every organisation should cover the use of employees’ own IT equipment for mobile and remote working in their information security strategy. Forty two percent of UK IT leaders say that their organisations only permit the use of corporate IT provisioned or approved devices, and have strict security measures in place to enforce this with endpoint control, a huge rise compared with 11 percent in 2019.
There is room for improvement in this area, however: 6% of organisations don’t cover ‘shadow IT’ in their information security strategy, while 7% tell employees they’re not allowed to use removable media, but don’t have technology in place to prevent this.
At a time when such a large proportion of the workforce is operating outside the confines – and relative safety – of the office and corporate network, any holes in security policy will create unacceptable risk. All organisations must recognise the importance of endpoint controls and hardware encryption and how they can work together to help comply with data protection regulations and reduce the potential for a breach.
This is more critical than ever: the new societal values shaped by COVID-19 have thrown the importance of doing business responsibly into sharp focus. Preventing a data breach will not only mitigate against the financial costs, it will also protect an organisation’s reputation and the trust of its customers.
Author: Jon Fielding, managing director EMEA, Apricorn