Data Breach Accountability: Who’s to Blame?

Written by Chad Walter, CRO, Paperclip.

Data breaches have surged in frequency and cost—to the tune of $8 trillion dollars globally in 2023. And this isn’t just impacting the companies who are breached; these costs impact customer trust and contribute to global inflation.

We are also seeing a massive shift in hardline accountability and precedence from the Securities and Exchange Commission (SEC), The Office of the U.S. President, and other regulatory entities for organizations to do more to protect the data they use to run their operations. The impact of cyber-crime and poor cyber controls goes far beyond the cost associated with data loss and ransom attack. Added costs that highlight the greater impact include civil lawsuits, regulatory fines, loss of customers, higher interest rates (credit cards and lending practices), and even the possible arrest of cybersecurity leadership. In summary, the cost of cyber-crime doesn’t stop with cyber liability insurance claims or mitigation costs, they go much deeper into the economic ecosystem.

This financial and societal impact is driving for more retribution. When a data breach occurs, everyone is looking for someone to blame. Because of this demand for justice, CIOs, CISOs or even CEOs often lost their jobs, and with new regulations and legal precedence, could now face more serious legal ramifications. But what if we stopped to consider what, not who, is to blame? It’s right in front of us.

Encryption Adoption Struggles

We know that the best way to secure data is to encrypt it, yet 40% of enterprises globally aren’t employing encryption on archives and backups, and 58% don’t encrypt their client data at all (Statista and Entrust respectively). If large amounts of sensitive data are not encrypted and therefore not secure, data breaches resulting in data theft and ransom attacks will continue to surge. There is no magic bullet that is going to fix this, but we do know that increased encryption adoption will solve a huge piece of the problem for most organizations which will reduce the success and impact of cyber-crime.

Why is encryption adoption so low given that it’s mandated by compliance? Aside from limited security budgets, there is a challenge because we collect data to use data. Traditional encryption solutions don’t support this fluidity or data in use; data must be decrypted to perform create, read, update, or delete (CRUD) functions. This means that every time we need to use a piece of data such as that defined as PII, that has been encrypted, we must:

1. Decrypt it and convert it to plaintext
2. House it within accessible storage (RAM, cache, CPU, storage, or processing servers)
3. Run our query or CRUD (Create, Read, Update and Delete) activities
4. Re-encrypt the data and move it back into a secure environment

With the fluidity of today’s data usage requirements, this process has proven to be impractical, inefficient, and ineffective. It just doesn’t match the way most operations or applications function.

In addition, this all takes time and resources to manage, and we know time and resources are sparse and very expensive.

For example, this encrypt, decrypt, use, re-encrypt function is not practical for a 24-hour operation such as a global cellular communications company where customer service representatives need to have access to billing and implementation data 24x7x365. No customer wants to wait on hold while a dataset is being decrypted just to ask about a charge on their billing. Then imagine the next rep putting the customer on hold because the database is in an encryption cycle.

This isn’t just a challenge for the telecommunications industry. Think about the challenge within the life insurance industry. They keep vast amounts of sensitive and private data that must be readily available to address life events. Again, this high-availability need is directly in conflict with traditional encryption limitations. And we’re not even addressing hospital functionality, where getting immediate access to patient health information (PHI) can save a life.

Yes, encryption adoption is critical, but it’s not plausible until it is aligned to the fluid nature of data use.

The Evolution of Encryption

The only way to truly protect sensitive, controlled, and private data is to fully encrypt it using the most advanced, adopted encryption methodology. Currently that methodology is set by the National Institute of Standards & Technology (NIST) who recommends Advanced Encryption Standard (AES) 256 bit encryption, referred to as AES-256 (for more information, the Wikipedia entry is a good starting point). It is cited as quantum resistant, although more testing is needed and NIST is exploring quantum ready cryptography as part of a current competition.

AES-256 has become the standard for encryption at rest or in motion (in transit, or in flight). In both situations, the data is static. At rest is obvious, but even in motion, the data is static, it’s the container its within that is in motion. For example, you’re sending an encrypted file. The data in the file is encrypted as it’s static. It must be decrypted for use.

There was a time when the data we collected and kept was for archiving or analytics and encryption at rest and in transit was all we needed. Of course, most operational activity was brick-and-mortar then, too.

Today, we’ve evolved to be mostly digital, and we leverage almost all the data we collect. Just look at how a restaurant works. Yes, you go to a brick-and-mortar location, but the operations such as the reservation, ordering system and payment systems are all cyber. Even the restaurant management systems are all cyber.

Now is the time to adopt a new evolution of data encryption: searchable encryption. This is encryption that has evolved to manage fluid, in use data without decrypting the data first. You can search encrypted data and it can be done with no impact to your end user applications or even your existing databases.

A Look to the Future

Cybercrime costs the world economy too much to be considered a simple cost of doing business. It’s become evident that the way we currently architect solutions to protect sensitive, controlled, and private data just isn’t working.

And with the rapid adoption of Generative Artificial Intelligence (GenAI), the risk is outpacing traditional solutions and approaches. GenAI can consume and create sensitive, controlled, and private data faster than traditional security and encryption solutions can keep up with. It’s creating another dataset waiting to be compromised.

The numbers don’t lie—it’s time to take a different approach. Being able to encrypt data at its core while at rest, in motion, and in use will reduce the impact of cyber-criminal success. Network Security Architects, CIOs, CISOs, and other cybersecurity leaders can do more while reducing technology complexity, management, and cost.

You can’t block the threat-actor from getting into your environment, but you can block them from having access to your most prized possessions. Encrypt your data in use and regain control of your business, because nothing stops business growth faster than a data breach.

About the Author

Chad F. Walter joined Paperclip in June of 2022 and serves as the Chief Revenue Officer focused on the launch of Paperclip’s new SAFE solution. His responsibilities include leading the Paperclip Sales and Marketing initiatives through strategic growth, goal attainment, sales channel development, and new client acquisitions. Prior to joining Paperclip, Chad was the VP, Sales and Marketing for IGI Cybersecurity, VP Business Development for GreyCastle Security, and the founder of CF Walter Consulting. Chad has worked in various leadership roles within cybersecurity, technology, and globalization for more than 20 years.