During lockdown, like most of us, I watched a lot of television. I re-watched some of the old Sci-Fi TV shows and films – Star Trek, Babylon 5, Farscape and Star Wars. One of the repeating themes is how bad security is. Anyone with a sonic screwdriver and access to a control panel could break into any system, vault or prison cell in a matter of minutes.
Today our security measures are somewhat more sophisticated, but so are the tools and techniques used by hackers. And, as we know, the volume of data and the prizes available from stealing that data have increased out of all proportion since Captain Kirk’s day. But have our security measures improved proportionately?
WHAT IS THE CURRENT SITUATION?
Year-on-year, more consumer records are breached, with more and more breaches being reported. In 2019 there was a 17% increase in data breaches reported compared to 2018. In the first five months of 2020  over 1.6 billion records were breached. There are no indications that things are improving, in fact it’s far from it.
WHAT ARE THE MAIN CAUSES OF THE BREACHES?
According to the Infosec Institute , the seven most common causes of data breaches are:
- Accidental web/internet exposure
- Data on the move
- Employee error/negligence/improper disposal/lost
- Insider theft
- Physical theft
- Unauthorised access
These breach categories are interesting as they allow us to categorise, and individually address, the breaches that we need to protect against. But they also hide the root cause of almost all of these breaches which can be summed up quite easily. There are too many moving parts.
Traditional data security best practice involves fourteen high level procedural and technical controls with over one hundred sub-controls. With this level of complexity, the question becomes “when” and not “if” security breaches will occur. Which is exactly what the statistics are telling us.
MAYBE WE ARE ADDRESSING THE WRONG PROBLEM?
What, if instead of fighting multiple losing battles, we decided to focus on winning the war? What if we accept that breaches will always occur and that, instead of fighting battles to prevent different types of breaches occurring, we focus on reducing the impact of any breach. This feels measurable, positive, and it actually has a chance of success.
WINNING THE WAR
Wallet.Services’ Siccar platform offers the opportunity to raise our sights and win the war. Siccar reduces the number of controls required to securely share data to just four:
shared data governance;
use-to-use encryption of data;
a highly available, cyber-resilient, store;
and cryptographically secure updates
With Siccar, all data is uniquely encrypted by default with the receiver’s key. This means that, in the event of a breach, the data is beyond use and a “brute force” hack is astonishingly unlikely to unlock it. Siccar uses the SHA-2 family of hashes. This is a globally accepted standard and is authenticated as “safe” by the National Institute of Standards and Technology.
Siccar allows us to reduce the number of controls required to secure data and to focus our energy on the single most important question that requires to be answered to win the war: “How do we protect the keys that protect the data?”. This problem has been solved already. Combining Hardware Security Modules with public-key cryptography and managed identities makes it totally impractical, if not impossible, to breach a single key and unlock one byte of data.
It would have been a pretty short Star Wars franchise if the Bothans had gone to all the trouble of stealing the death star plans only to discover that the plans were encrypted. We need to consign sonic screwdrivers to history and to move our thinking on data security to a much higher level — one that reflects the true value of the digital economy and properly implements the data governance it should provide.