Opinion cybersecurity

Why encryption is failing us

Encryption is viewed by many as bullet-proof technology. Organisations swear by it, and consumers feel overly confident knowing that their transactions and personal data are encrypted. But experience has shown that encryption is just not enough, argues Tom Kellermann, head cybersecurity strategist at VMware Carbon Black.

A look at recent high-profile data breaches will show us that encryption either did absolutely nothing to prevent hackers from infiltrating systems, or worse, helped disguise cyber criminals while they were wreaking havoc in organisations’ systems.

In September 2017, Equifax announced a data breach that exposed the personal information of 147 million people. During the incident, an attacker was able to crack into Equifax’s system in mid-May and hide within encrypted traffic until the end of July - more than two months without anyone noticing.

More recently, in November 2018, Marriott disclosed a data breach that affected 327 million customers, which, in my opinion, was based on a false sense of security in encryption. Hackers had been hiding in Marriott’s system since July 2014, gaining access to a whopping 25.6 million passport numbers in the breach, of which 5.25 million were unencrypted. While it seemed Marriott believed encryption would save the day, the technology was ultimately implemented incorrectly, leaving the organisation blindsided during the breach.

Encryption alone is not enough

Most organisations today invest in encryption due to regulatory mandates, yet they fail to understand that encryption is not bullet-proof - rather, it should be viewed as a steel tunnel with two locked doors on either end. The keys for these doors can and will be stolen.

It’s a basic defence that protects data while in transit or at rest, but it shouldn’t be the only thing protecting our medical records, credit scores, bank statements and other digital documents that only we - and the vendor we choose and trust - should be allowed to see.

Think of a criminal breaking into a home. A basic lock on the front door alone won’t stop them from accessing what’s inside. Instead, they look for alternative routes such as side doors, open windows, garages, or even try a skeleton key on the front door. Mistakes are made in not protecting the master keys.

The cybercrime wave of 2019 is flourishing due to the misconception that encryption is foolproof.

What should I do?

Unfortunately, we as consumers don’t have much control over the types of security defences vendors are using. It’s a flawed trust system, where we can assume organisations have multi-layered defences, beyond just encryption, that will keep hackers at bay.

One can guess that large, well-known entities have better protection controls and a higher cybersecurity budget than smaller vendors, but as we saw with recent breaches, this doesn’t always mean tighter security. In addition, these large corporations are being targeted by elite hackers of the Dark Web, which marginalises any proactive security posture.

When doing business online, there are a few best practices to implement to better protect your information. Make it a point to only share sensitive information if it’s a reasonable request - for example, an online retail store shouldn’t be asking you for passport details. If they are, it’s a scam.

When inputting personal details, ensure the website has https: in its web addresses, as the “s” stands for secure. You also may want to do some homework to ensure the vendor hasn’t had any major security issues as of late and has been recognised for its security.

I also recommend limiting your exposure by taking these eight simple steps:

  1. Update all software on Tuesday nights - this includes apps

  2. Use security software on all devices

  3. Use Firefox for your browser

  4. Change your home router’s password

  5. Turn on firewall and use encryption

  6. Use sentences rather than passwords

  7. Never use public Wi-Fi or Bluetooth unless you use a VPN

  8. Never use your debit card online

We live in a world where most transactions are now done online. While we can take best practices to better protect our information and conduct due diligence with online vendors, it’s ultimately organisations’ responsibility to realise that encryption alone is not the answer. It will eventually fail them and, in turn, your digital identity will be victimised.

Begin to choose who you do business with based on the seriousness of their security programs, as today, your physical safety is tied to your digital safety.

Share this article