This week, an Apple-commissioned report underscored the longstanding advice from analysts on the crucial role of end-to-end encryption in safeguarding sensitive data from theft and misuse.
The report, derived from an independent study conducted by a Massachusetts Institute of Technology professor on publicly reported breach data for Apple, sheds light on a concerning trend. Over the past two years, there has been a notable surge in data breaches and compromised records, largely attributed to ransomware campaigns and attacks targeting trusted technology vendors. This emphasizes the pressing need for robust security measures, such as end-to-end encryption, to fortify against these escalating threats.
A Staggering Rise in Data Breaches
Over the years 2021 and 2022, an alarming 2.6 billion personal records fell victim to data breaches, with a whopping 1.5 billion compromised just last year. If current trends persist, it’s anticipated that 2023 will witness an even higher number of records at risk.
In the initial nine months of 2023, data breaches have already surged by 20%, surpassing the total breaches recorded throughout the entire 2022. Corporate and institutional breaches have left around 360 million individuals exposed to potential threats by the end of August 2023.
Key insights from IBM’s 2023 Cost of a Data Breach and a Forrester research study, cited in the Apple report, reveal concerning patterns. Ninety-five percent of organizations grappling with recent breaches had encountered at least one prior breach, and a significant 75% had faced a data compromise incident within the previous 12 months.
Ransomware and attacks on vendors emerged as major contributors to the escalating data breach crisis. Ransomware attacks witnessed a substantial 70% surge in the first nine months of 2023 compared to the same period in 2022. Additionally, a 50% increase in organizations reporting ransomware attacks during the first half of 2023 compared to 2022 suggests a continued upward trend for the rest of the year.
The study also sheds light on the unsettling fact that a staggering 98% of organizations have ties to a technology vendor grappling with recent data breaches. Notable examples in the report include incidents at Fortra, 3CX, Progress Software, and Microsoft, impacting a wide array of organizations and individuals.
Addressing this growing threat to consumer data, Apple’s report underscores the consequences of accumulating vast amounts of unencrypted personal data, particularly in the cloud. The key recommendation emphasizes the critical role of encryption in mitigating risks, urging organizations to encrypt stored data to limit access to those with the decryption key, ultimately reducing the likelihood of unauthorized use or sale of consumer data.
Urgent Call for Encryption in the Face of Rising Breaches
The importance of encrypting data—whether it’s in use, in transit, or at rest—has long been acknowledged as a critical safeguard. The effectiveness of data encryption in preventing stolen data from being misused and rendering it useless to unauthorized individuals is widely accepted. Various regulations and industry guidelines, such as PCI DSS, HIPAA, GLBA, and the EU’s GDPR, emphasize the necessity of encryption, particularly for stored and transmitted data.
Demi Ben-Ari, CTO and co-founder of Panorays, emphasizes the significance of encryption in protecting sensitive information against unauthorized access. By making data unreadable to unauthorized parties, encryption significantly lowers the risk of data exposure in the event of a breach. Ben-Ari notes, “The strength of encryption in rendering stolen data useless underscores its essential role as a fundamental protective measure.”
Despite the clear benefits, as highlighted in Apple’s study and others, numerous organizations have been slow to adopt data encryption for various reasons. Craig Jones, vice president of security operations at Ontinue, points to perceived complexities, potential costs, worries about performance impacts, and a lack of in-house expertise as factors hindering the widespread implementation of encryption systems.
Unraveling the Encryption Challenge: A Closer Look
According to Jones, delving into the world of end-to-end encryption can be anywhere from a bit tricky to quite a tough task. The level of difficulty hinges on factors like how big the organization is, the current setup it has, and what kind of data needs safeguarding. Jones highlights that this process demands careful planning, investing in the right tools, and often changing how the organization thinks about and manages data security. Key management can be a big headache for organizations, as losing keys could mean losing access to data permanently. Additionally, organizations need to consider how encryption might affect performance and make sure it works well with their current systems, says Jones.
Cloud computing is quickly becoming a big player in the field, and organizations need to take this into account when thinking about encryption plans. Data from Apple’s study reveals that a whopping 80% of breaches involved data stored in the cloud. Encrypting this data can be trickier than doing so with data kept on-site.
Ken Dunham, director of cyber threats at Qualys, points out that organizations with strong security practices usually have a good grip on their older networks. However, when they shift to the cloud, they often lose control over things like visibility, management, and operations to deal with the ins and outs of encryption. Adding to the complexity, organizations must juggle both old and new technologies as part of their digital transformation journey.
Ben-Ari warns against a common mistake: relying solely on cloud providers for data encryption. While these providers offer useful security measures, organizations must take direct responsibility for encrypting their data.
He suggests that organizations go for user-friendly technologies to make integration smooth. Phased implementations can also help minimize disruptions to daily operations.
Lastly, he recommends that organizations tap into the shared responsibility model offered by many cloud providers and leading SaaS vendors. This model allows organizations to provide users with advanced encryption features at the click of a button.