Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 5 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Why Access Controls Are Not Enough to Stop Data Breaches

by The Gurus
August 29, 2018
in This Week's Gurus
Data Breach Cyber attack code
Share on FacebookShare on Twitter

By Linus Chang, CEO, Scram Software (https://scramsoft.com/)

Data breaches have quickly morphed into an alarming epidemic. This is evidenced by the fact that they have become so commonplace, they’re seen as a given now rather than as shocking news. Recent history offers countless examples of breaches that can be instructive as to what’s going wrong, but here are just a few:

  • In June of 2017, the Republican National Committee leaked data on 198 million Americans, due to human error that led to a cloud misconfiguration that exposed a massive amount—about 1.1 TB—of personal information on American voters. The data that was leaked was not even password-protected, resulting in the largest breach in the U.S. to date.
  • Also in 2017, a security lapse exposed the critical servers at Stewart International Airport in New York for a full year. This human error was traced back to insecure hardware configuration defaults, which resulted in sensitive data being left open to the world including critical government files, a password list, and gigabytes of emails.
  • An earlier hacking attack involved iCloud leaks of nearly 500 private celebrity photos, many containing nudity, being shared publicly. This was traced back to a vulnerability in the iCloud API, which allowed unlimited attempts at guessing passwords without lockout and concurrently targeted attacks via phishing methods.

And it isn’t just individual companies or small groups of customers that are suffering from these incidents either. Research shows that half of Filipinos, half of South Africans, and two-thirds of Americans have been affected by breaches.

Protective Layers

One might assume that after a few such devastating events had taken place, IT security would do what it takes to safeguard data. After all, humans (even developers and systems administrators) make mistakes. There are also potential threats from first and second parties—from within your company or your vendor base—as well as third parties. But based on the expanding rather than decreasing number of data breaches worldwide, it’s clear that organizations are failing to take the necessary steps for better data protection—specifically, by adding encryption as a technological safeguard that protects data even in the event that access controls are breached.

Studies have proven that when a data breach does occur and data is stolen, 96 percent of the data is unencrypted, essentially up for grabs by cybercrooks. Why isn’t encryption being used when it should be for data at rest? The problem comes down to the erroneous belief among many IT professionals that perimeter security is all they need. So once they’ve “secured” their network, they don’t bother to implement security within the network. Clearly in a cyber world, it simply isn’t enough to just implement access controls and perimeter security because once someone is inside, it becomes a free-for-all. Another safety net is needed as an added layer of protection, to catch companies when they fall, if you will.

Home Invasion

To give a simple analogy of why access controls alone don’t work, think about if you had to figure out the best way to store a $5 million diamond in your home. The smartest solution, clearly, would be to employ not just one layer of protection, but instead multiple layers. You’d no doubt start by locking your doors and windows—“perimeter security” for your physical home.

But even so, you’d recognize that determined thieves can always find ways through these “access controls.” So you wouldn’t just leave the diamond lying in full view on the kitchen table. Instead, you’d put it in a safe, with a combination and extra key for another layer of security in case the locked doors and windows failed to do their job.

When dealing with sensitive data, it’s as valuable as a diamond when you price out the consequences of having that data compromised, so these files also need to be secured in a “safe” of sorts. Encryption acts as the equivalent of a physical safe, keeping in mind that in the cyber world, it’s virtually impossible to lock only the doors and windows and stay secure, since an IT system has countless potential points of entry. So it’s even more crucial to have a breach mitigation strategy at the ready.

Steps to Security

Instead of relying only on access controls, IT professionals should routinely encrypt their primary copies of data—and even more importantly, their secondary copies of data—including all backups, migrations, archives, and transfers, as well as their live data. The best practice for administrators is to automate this process by building it into their current automated scripts so that each and every backup will be encrypted without hassles. Some systems don’t support encryption, such as MySQL free edition, so you can use encryption tools to get around this. Don’t stop with backups, though: you should also encrypt all transfers between parties.

Choose wisely, as not all encryption systems offer equal results. A strong encryption system should leak no information while locking out the adversary. Ideally, your end-to-end encryption solution will have the capability to encrypt both data and metadata, support cloud storage and local storage, and protect against integrity attacks such as substitution, not just privacy.

As you take these steps, keep in mind that there are multiple reasons why you are doing so. Data security is now not only a legal requirement under GDPR and other privacy legislation, but it has also become a moral obligation for businesses that keep customer data. Companies are considered the custodians of consumer data, and organizations that fail to properly protect it can find themselves facing hefty fines. So it’s important to secure this data with multiple layers of defense, as if it really were a precious diamond.

By examining why data breaches keep occurring, the solution becomes clear. IT professionals need to learn the lesson behind the shortfalls in implementing only access controls, and instead adopt multiple layers of security. Encryption is the number-one most effective strategy you can employ to secure data privacy and integrity, and is the cyber world equivalent of keeping your data in a safe, not out on the kitchen countertop. By encrypting all backups and live data, and then protecting the keys and credentials carefully, you have your answer on how to circumvent breaches, secure data, and make the world a safer place for companies and consumers alike.

 

Linus Chang, CEO, Scram Software (https://scramsoft.com/) Bio

Linus Chang is a computer programmer and entrepreneur from Melbourne, Australia.

Chang started programming computers aged seven. He spent his spare time coding up hobby projects and learning different programming languages, winning numerous awards and subsequently representing Australia in programming as a teenager. Shortly after graduating from Monash University (Melbourne, Australia), he ventured into business and entrepreneurship. Linus is also known for creating the BackupAssist product, which has sold over 100,000 copies to the Small to Medium Business (SMB) market in 145 countries.

Chang has a passion for creating mass market software products that solves real world problems and makes people’s lives better. Chang founded Scram Software to address the security issues faced by businesses when using the cloud.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Ditch Social Login for Mobile Login

Next Post

Air Canada suffers major data breach

Recent News

london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information