Encryption and authentication — let's learn more about why your company needs these security tools.
Because IT staff and resources are often sparse within mid-sized businesses, they see the public cloud as a great option. But in the rush to take advantage of everything the cloud has to offer, they tend to focus on overcoming networking issues and scaling capabilities first, with security as an afterthought. And when they do think about security, it is usually in terms of who on the team has access. It’s a common assumption that security is the cloud provider’s responsibility, when, in reality, it is a shared responsibility.
Failure to recognize this responsibility results in an open door for cybercriminals. It is not sufficient to know who your admins are once a breach occurs. Securing your data is critical, but, as you will see, it does not have to be complicated.
Another error often found among mid-market companies is the practice of doubling down on network-based solutions. These solutions focus on preventative measures when zero-day attacks — by definition — take advantage of unknown vulnerabilities.
A third most important chink in the armor is the ongoing use of passwords or any other form of shared-secret scheme used to authenticate people. Lists of hacked passwords are for sale on the dark web, phishing remains a successful method of obtaining users’ passwords, and password-cracking tools are getting better and better.
These are all important issues that need to be addressed, but what creates the greatest vulnerability is the idea that no bad actor would bother to breach you because your company is too small, unimportant, or not valuable enough. Bigger is not always better to cybercriminals. Yes, bigger businesses tend to yield a bigger pay-off, but they also have stronger security programs than mid-sized companies. Attackers target low-hanging fruit just as much as the next criminal.
The Cost of a Breach
The average clean-up cost to mid-market businesses after a breach is more than $1 million. In addition to clean-up and containment costs, there may be fines, depending on the industry and jurisdiction the company falls within. A mid-sized business may not have the funds to survive a breach.
Ransomware, malware, phishing, social engineering, and web-based threats are the primary attack vectors against smaller businesses, according to the report noted above. While firewalls and malware detection software are available inexpensively, they cannot protect data once the network has been breached.
The Case for Encryption
Encryption has, so far, been viewed by mid-sized businesses as an expensive security tool that only enterprises need. However, medium-sized companies are being increasingly targeted by cybercriminals for data. One study found that 53 percent — just over half — of mid-market businesses suffered one or more breaches last year.
Compliance is also a consideration. Today’s regulatory environment reaches into every industry and company size. Small companies with medical records, for instance, have private data that needs strong data protection that meets industry compliance regulations.
In addition to being expensive, organizations see encryption as complex and confusing.
There is, then, a tendency to ignore it or discount it as a viable security method for mid-sized companies. However, encryption is not as hard as it sounds. Essentially, encryption is a cryptographic system to encode data and files in such a way that only authorized users/devices can access it and those who are not authorized cannot. However, data encrypted at the network, web server, application server, database, app system, or hard disk drive is vulnerable. Only encryption at the application layer is secure.
Application-layer encryption is vital because, if data is encrypted or decrypted in any part of the system — including the hard disk drive, operating system, database, etc. — other than the business application using that data, significant residual risks remain despite the encryption. An attacker need only compromise a software layer above the encrypting layer to see unencrypted (plaintext) data.
Since the application layer is the highest layer in the technology stack, this makes it the most logical place to protect sensitive data because it offers the attacker the smallest target. This also ensures that, once data leaves the application layer, it is protected no matter where it goes — and, therefore, it must come back to the application layer to be decrypted.
Encrypted data is gibberish to everyone except the person who has the appropriate key. How can you control access to those encryption keys? Authentication.
The Case for Authentication
Authentication is available in several forms, including two-factor authentication delivered via SMS, email, or biometric verification. The idea behind authentication is to make sure that a person or technology trying to gain access to data is actually that person or technology. In the case of gaining access to encryption keys, authentication that requires tokens or biometrics is the strongest option.
A recent development is the FIDO Alliance’s strong authentication protocol. By adhering to the latest FIDO Alliance standard, strong authentication leverages years of Public Key Infrastructure (PKI) cryptography expertise to verify the identity of users and devices to enable strict authorization and access to encrypted data and files.
The Alliance’s goal is to create a new era of ubiquitous, phishing-resistant, strong authentication to protect internet users worldwide. The FIDO protocols and authenticators on which they are based:
- Cannot be phished — bad actors cannot compromise the protocol’s cryptographic messages and use them to masquerade as the legitimate customer
- Protect privacy — even with a stolen or lost authenticator, attackers cannot learn a customer’s identity and use it to compromise the customer’s account
- Require a hardware-based authenticator, which is not susceptible to attacks from the Internet, unlike file-based credentials
- Make the customer prove their presence in front of the computer originating the purchase — with possession of the FIDO authenticator
Locking Out the Bad Guys
Fishermen, as they say, go where the fish are. For cybercriminals fishing for data, a mid-sized company can be just as profitable a catch as an enterprise — and less work, since mid-market organizations have less-robust security, for the most part. Smaller companies also tend to have smaller coffers, so the rising cost of a data breach could be financially ruinous.
Fortunately, help is available. Encryption is now within reach for mid-sized companies, and authentication adds another much-needed layer of security. Using these tools, data can be kept safe even if attackers get into the network. They bring some peace of mind in this era of ever-evolving cyber threats.
ALSO SEEN IN: DZone