Just when the global cyber community was slowly recovering from the infamous WannaCry ransomware attacks that caused havoc across the globe last year, two recent cyber-attacks of an almost identical nature again shook the cyber community worldwide.
In May 2018, two Canadian banks, The Bank of Montreal and CIBC-owned Simplii Financial, were targeted by hackers who managed to get access to the personal information of thousands of their customers. The hackers demanded a ransom of $1 million from each bank failing which they threatened to publish the stolen information on the internet. The information that the hackers got access to included the names, dates of birth, social insurance number, debit card details, home address, occupation, marital status, secret questions and account balances. Security experts suspect that the hackers used a ‘spear phishing’ attack in which they targeted specific people who had accounts with both these banks and used malicious cyber techniques to make them hand over their crucial data.
Why did this happen?
Organisations, especially banks, store a lot of user data to help them service their customers, target marketing activities and run analytics to make their products/services relevant to the needs and demands of the market. Broadly, user data can be classified into two types: Personally Identifiable Information (PII) and Non-PII. In simple words, any data that can be used to identify the identity of a person is categorized as PII. This leads to an inherent need of storing and managing PII in a more secure manner as compared to the non-PII data.
In the case of Bank of Montreal and Simplii Financial, the breach happened despite both the banks having implemented stringent perimeter security controls. Cyber security experts feel that had the banks employed data encryption technologies for securing their customers’ PII stored within their database, then such an attack would not have been possible.
The Way Forward
Hackers have been around since the time the Internet was born and with every passing day, their numbers are increasing manifold with data breaches taking place almost on a daily basis. According to Gemalto’s 2017 Breach Level Index report, the number of data records compromised in publicly disclosed data breaches surpassed 2.5 billion – a whopping 88% from 2016. This equates to more than 7 million records lost or stolen every day, or 82 every second!
With rising incidents of data breaches, the business impact goes way beyond a financial hit. As organisations struggle to maintain and protect their customers’ data, there is a growing concern amongst their customers about the security of their personal information. Gemalto’s recent Customer Loyalty Survey interviewed 10,000 consumers worldwide revealed that a majority (70%) of consumers would stop doing business with a company if it experienced a data breach.
This figure alone should ring the alarm bells of organisations that store their customers’ PII without deploying robust data encryption technologies. Encryption involves scrambling of the data using an algorithm with a key to create a code – the encryption key. Unless a user has access to the key, the data cannot be unscrambled or decrypted.
However, securing the data does not end with merely encrypting it. Encryption transfers the responsibility of enterprise security from the data to encryption key management – a holistic solution that is seamlessly able to generate the encryption keys, distribute, rotate and store them and revoke/destroy the keys, as needed. In a nutshell, businesses need an end-to-end data encryption solution to ensure the security of data.
While there are many encryption alternatives available in the market today, most businesses find themselves lacking when it comes to management of the encryption keys. It’s like putting a lock on all the doors of your room and not knowing where the keys are. This can still lead to a potential theft if the keys land in the wrong hands. Hence, having a centralized platform that can help organisations manage their crypto keys across all stages of their lifecycle can play an important role in ensuring optimal data protection.
What’s needed is a robust and centralized key management solution that can be seamlessly deployed in physical, virtual, and cloud environments. Some of the salient features that play a crucial role in data security are:
1. Heterogeneous key management – helps in managing multiple crypto keys for different types of encryption products.
2. Multiple use cases – easily integrates with other data protection solutions.
3. End-to-end key-lifecycle support
4. Centralized management console – helps in assigning administrator roles according to the scope of their responsibilities.
5. Logging and auditing – helps in storing audit trails that can be analysed by using any leading SIEM tools.
6. Reduces the overall cost of data security by offering automated operations.
To Sum It Up
What would you do if an organisation didn’t take the security of your data seriously? Probably stop using their products/services, right? Most of us would do the same. We are all concerned about the security and privacy of our data gathered by various businesses. As consumers, we expect all organisations, no matter how big or small, to employ the latest security tools.
When we look at it from the other side of the line, as business owners, we tend to try and get by with the security system already in place. However, hackers are evolving and your data security tools need to keep up too. An end-to-end data encryption solution can ensure that you and your customers can be assured of maximum data protection. Remember, if your customers feel that your organisation places security of their personal information at the top of the priority list, he/she would not just be loyal to your brand but also work as a powerful brand ambassador.
(The author is Senior Business Development Manager – Banking Identity & Data Protection Enterprise & Cybersecurity; Gemalto)