Author: Rick McElroy, Security Strategist, Carbon Black
In my last two blogs, we discussed the importance of training and preparedness. These factors can determine if an organisation can successfully contain and mitigate the damages a breach when it happens. This week we dive into the question(s):
What percentage of critical data is known and encrypted? & Why is this question important as a CEO?
One of the best examples to illustrate the significance of these questions is the Equifax breach. This breach resulted in more than 145 million Americans having their private information stolen. Equifax failed to encrypt this data set and that failure made the data usable by the perpetrators of the crime. One control could have actually prevented the data from being usable regardless of the underlying vulnerability that resulted in the breach itself.
As a CEO, it’s not important that you understand HOW cryptography actually works. (Although we welcome more of you to understand the technology that enables security, we certainly don’t expect you to.) However, you ARE responsible for the data and should know that encryption is in use for all critical data.
The first step would be to know whether or not critical data is accounted for by having an inventory. You can’t protect what you don’t know about and the team will have work to do to discover it and maintain the program around it. Being in a “known state” is a huge step to having a successful program and ensuring your critical corporate and customer data is protected in the event of a breach.
Knowing the percentage of data encrypted will help you track whether or not you have the right budget, resources, and efforts assigned to the protection of your data. Having encrypted data sets is a great way to mitigate lots of attacks. As long as it is properly managed, it becomes very difficult to crack it and read the contents rendering the data useless from a profit or intelligence perspective.
There are a number of different methodologies to encrypt data. Your team should be able to answer any questions you have as a follow up to this one but thinking of critical data locations and whether or not they are encrypted is a great way to ensure that, even if breached, it will remain protected. It’s also the right thing to do and doesn’t cost a ton. It’s one of the most cost-effective measures a team can take to protect themselves.
Think of encryption as the one save you have when all other measures to protect your data fail. That’s an oversimplification but I think you get the point.