Lack of encryption is putting customer data at risk

Security investigators believe hackers behind the Yahoo data breach may have exploited a failure to use proper encryption.  If this proves true, then many more organizations may be putting customer data at risk.

In recent years, technology advances like the Internet of Things (IoT), big data and cloud-based services have generated an explosion in the number of IP connections. To keep them secure, all connections are underpinned by basic cybersecurity measures comprising cryptographic keys and digital certificates that must be tracked and protected.

When an organization fails to apply these basic security measures to its assets, it risks leaving whole systems vulnerable to attack.

A 2016 report by Gemalto and the Ponemon Institute found 92 percent of businesses encrypt just 75 percent or less of their sensitive and confidential data when it is sent via the cloud. The proportion of respondents that encrypt data stored in the cloud was even lower at 40 percent.

Most concerning for customers, it is their data that is most often left unencrypted.  This places customer data at considerable risk of being viewed or even harvested by hackers.

A simple way of protecting cloud data on its journey from device to cloud storage is to encrypt the whole process using a VPN tunnel.

The most common form of information in the cloud is customer data and much of it is unencrypted.

Despite the fact that encryption is one of the most basic methods for securing data, many companies make the mistake of failing to encrypt. If they did, only authorized users with a matching key could actually see the documents.

This would make stealing them meaningless.

Instead, there have been multiple incidents where hackers have been able to access account holders' unencrypted security questions and answers and even login usernames and passwords.

Lack of encryption had a hand in some of the biggest breaches of 2016.

For example, researchers in the Yahoo case suspect hackers managed to exploit failed use of encryption resulting in the loss of data relating to half a billion users.

In another major 2016 data breach, Adult FriendFinder, attackers succeeded in gaining access to an unencrypted database containing members’ details via a technical vulnerability.

Meanwhile at Lynda.com, part of the LinkedIn business social network, around 10 million members had to be notified of the potential hacking of another unencrypted database after it was suspected of being hacked.

A failure to implement basic security checks such as data encryption and authentication is also leaving airline booking systems vulnerable to hackers.

Data stored in the cloud is often not within an organization’s control. Instead, it may rely entirely on best security practices by third parties. Unfortunately, it is almost impossible to guarantee that best practices will be applied.

When a company provides services via the cloud, customers only know they can access their applications and data whenever and wherever they wantbut customers have no idea how or where their data is stored. When it comes to security and privacy, customers either have to carefully check the terms of a long and complicated service agreement or, more often, trust blindly in the provider’s professionalism.

Trends like Shadow IT are another consideration.

According to Gartner, one third of security breaches will come in through shadow IT services by 2020.

Also known as Bring Your Own App (BYOA), or Bring Your Own Cloud (BYOC), shadow IT is in direct conflict with enterprise data security.

Growth of Bring Your Own Device (BYOD) in the workplace means employees may be tempted to use their own cloud-based apps to store or share customer data with colleagues.

The result may leave sensitive customer data vulnerable with only the strength of an employee’s password to protect it.

Outside of the security risks, unauthorized storage of sensitive customer content in the cloud has a whole range of legal and compliance violation ramifications that organizations can ill-afford to ignore.

According to Cisco, most companies have 15 to 22 times more cloud apps in service than IT has authorized. This means that for every app the IT department knows about, there are 15 to 22 others in use that the companies knows nothing about whatsoever.

A recent SpiceWorks survey agrees, reporting that 80 percent of IT managers say their users are setting up unauthorized services.

And according to the Cloud Security Alliance and Skyhigh Networks, only 8 percent of organizations believe they’ve got a handle on all the cloud services their employees use.

A simple way to protect cloud data on its journey from device to cloud storage is to encrypt the whole process using a VPN tunnel.

A VPN is able to let remote off-site employees create an encrypted connection with their company network to transfer data securely regardless of their location or the application they are using.

Cloud services frequently start out as popular public websites. As customers become used to visiting these sites for services, the amount of sensitive data hosted grows.

Public cloud providers become an extension of the data center network. Internet VPN is the first, and simplest option for service providers to ensure customer data remains private and encrypted at all times.

In summary, a failure by cloud providers and enterprise employees to implement basic security measures such as encryption when handling sensitive cloud-based data is a major contributing factor behind many of the high profile breaches reported in the media.

With more and more employers allowing employees to use their own cloud-based apps at work, the risks of customer data being leaked are set to increase.

Always be sure to use a VPN to keep sensitive customer data private and secure whenever it is transferred to and from the cloud.