- Security TWENTY
- Women in Security
Ignoring it is not an option, writes Joe Marsella, pictured, CTO, EMEA at network product company Ciena.
Hacking and data breaches have become a disturbingly regular fixture in the news as organisations and institutions, from major retailers to government departments, fall victim to opportunistic acts of network intrusion. Unfortunately, these breaches have a high value to the criminals; usually targeted at an organisation with the express aim of acquiring sensitive and valuable data that can be sold on the dark web, or directly used for fraudulent gain. The same breaches also have a significant financial and reputational impact for any organisation affected. The Ponemon Institute’s 2015 Cost of Data Breach Study, its most recent investigation, confirmed that the average cost of a data breach to a company is £2.66m ($3.79 million), a 23 per cent increase over the last two years.
While the physical cost of retrospective countermeasures are expensive, data breaches also affect a number of crucial functions within a business; from the manpower to find and fix the vulnerability to the communications with affected third parties. When combined with lost sales and brand reputation damage it is vital that both the financial, as well as practical, benefits of insulating data from threat are well understood.
Compliance is key
The legislative landscape is changing rapidly on both sides of the Atlantic in the face of the growing threat to sensitive digital information. In the US, 47 states have passed laws requiring notification of breach involving personal information, and 29 US states have laws that require organisations to make personal information unreadable or undecipherable if retained or transmitted. In Europe, various countries are passing tougher data regulations. In the Netherlands, for example, the Dutch Data Breach Notification Law went into effect from January 1st 2016 – with the obligation to report any breaches not only to the authorities, but to all involved. These new rules require not only the disclosure of data thefts but also hefty fines – up to 10 per cent of turnover. All this comes ahead of the formal adoption of the General Data Protection Regulation (GDPR) in Europe later this year, which aims to harmonise data security legislation as well as the penalty fines across the EU. Crucially, the GDPR will require organisations to comply with strict rules and duty of care relating to data retention and transmission. This is where encryption plays a critical role for organisations and service providers – not only to ensure their own compliance, but to provide compliant managed connectivity services to end-customers and consumers.
Encryption in-flight provides an effective defence against data leaching. Hackers connect to a network at a key point, sit there passively for long periods of time to remain unnoticed, syphoning any data that flows past them. If the in-flight data is encrypted, copying packets as they pass will ultimately prove fruitless. A complete security strategy means assessing risks business-wide, on the macro level. For this to be truly effective the underlying connecting network must be seen as absolutely crucial, in addition to the applications, repositories and endpoints connected to it.
In-flight encryption at the optical layer has numerous operational benefits. As it captures all data traversing an organisation it ensures that every byte is protected. It is also protocol-agnostic, ultra-low latency and designed to accommodate high-bandwidth services and applications, crucial for organisations dependent on information held in data centres or cloud environments.
For service providers, this means they can provide advanced encryption with the highest security cryptography algorithms available as a packaged service for enterprise customers, or even offer ‘Encryption-as-a-Service’. As solutions now exist with third-party certification and end-user portals that allow full security key management of the network they do not need specialist management skills to be added to the IT team; end-customers can take advantage of compliant encryption solutions that meet the needs of local or international legislation as a simple managed service, that they can control.
The cost and long-term consequences of a data breach has pushed encryption up the business agenda in organisations of all shapes and sizes, in every industry. While a range of commonly used techniques protect data at-rest these organisations also depend on large amounts of critical data that moves between offices, data centres and cloud environments, even across the globe. A truly robust infrastructure needs a comprehensive IT security strategy, and that includes in-flight encryption.