Originally published in TEISS on May 1, 2019
For many years, encryption has been viewed as a burden on businesses – expensive, complex and of questionable value. How things have changed. In just the past few years (and hundreds of high-profile breaches and £Trillions of economic damage later), cyber threats became impossible for the boardroom to ignore.
Beyond simple economics, the crippling effects of a breach on a business are increasingly broad – from information loss and operational implications, through to media pressure, reputational damage and action from customers or regulators. And so, as the nature of business changed and boards were forced to become increasingly accountable, the idea that issues like encryption are “too technical” for the boardroom transitioned from being an acceptable excuse to a legitimate liability.
In recent years, we’ve seen a sharp rise in reporting and analysis of data breaches – arguably both a stimulant and a symptom of cyber-security taking its place on the board agenda. And while the rise in reporting is positive, it highlights the chasm between recognition of the problem and application of sufficient solutions. Are we getting closer to addressing the problem? If not, what’s holding us back?
The digital transformation conundrum
We are watching the Fourth Industrial Revolution unfold: a sweeping, global shift that will mean “going digital” is no longer optional. Businesses will be technology-enabled, connected and mobile, like never before. It’s no wonder we are in the midst of a mass digital transformation migration, which IDC predicts will account for $1.25trillion in spend this year.
This is a significant change. But with it has come an important, untold story about the evolving cybersecurity imperative for the C-suite. The 2019 Thales Data Threat Report-Global Edition revealed that as digital transformations are taking place, sensitive data is often at risk. While 97% of IT experts indicated they are going through some type of digital transformation, only 30% have adopted an encryption strategy.
Sensitive customer, financial, and other proprietary data is the most important asset a business can protect. Yet, an integral part of many companies’ digital transformation journey consists of migrating data away from ‘locked vaults’ in the organisation’s data centre, out to the cloud and edge technologies like mobile devices. No longer can the organisation simply set up a secure perimeter and feel good about its stance.
Clearly, it’s hard to imagine businesses still viewing encryption as too expensive, complex or of questionable value. In fact, major brands are increasingly calling out encryption as core to their cyber resilience efforts – or, unfortunately for some, admitting they should have invested in encryption before a major breach hurt their business. But what does an effective strategy for encryption entail?
It begins with understanding. Before implementing controls, organisations should take a risk management approach – assessing the risks posed against them, rather than just blindly encrypting data. Once a business establishes what it is facing, then processes can be implemented which take the most sensitive data, or data at greatest risk of loss or theft, into account and kept secure.
Next, it’s about keeping the organisation secure by design. For far too long security has been seen as the last function to implement – an optional extra. The new normal will see organisations building with resilience and threat mitigation in mind, from day one. If you’re developing a new application, has security been factored into the planning? If your business is growing, what do you have in place to ensure data is encrypted and protected as you take on new staff and new systems? If your business is undertaking any kind of digital transformation, have you thought about the sensitive data at risk?
Lastly, it’s key that the board does essentially become a bottleneck. The best strategies for encryption and cyber resilience are built on well-designed processes and streamlined sign-offs that empower lines of business and make clear that data security is important to the business – all rooted in a well-defined understanding of the leadership’s stance on encryption. That is why the role of the board is now so critical to an organisation’s cybersecurity.
Encryption is a board’s best friend
The rise of reporting on breaches, and the always-evolving nature of cyber threats, can often paint a gloomy picture for businesses.
It’s true that leadership can no longer ignore cybersecurity and encryption. After all, outsider threats are now constantly working to find new ways of penetrating systems; the least organisations can do is make life more difficult for them. For the board, though, encryption also presents an opportunity to safeguard the livelihood of the business.
Of course, there is some work for them to do – above all in taking the issue seriously, establishing a culture of cyber-resilience throughout the organisation and sufficiently getting to grips with the topic in order to sign off on a strategy. But the upside here is significant: doing so will ensure the business builds on a solid foundation, protects itself from unnecessary threats and improves its chances of sustainable growth.