One of the best kept secrets of World War II was the operation to intercept and read top-secret German military message traffic. Germany used an “Enigma” machine to communicate coded messages. Polish mathematicians reverse engineered the machine and began reading German messages. When the Germans moved to invade Poland, the Poles shared their Enigma secrets with the British, and the rest is history, a romanticized version of which can be gotten through watching the Oscar nominated film, “The Imitation Game” (2014).
It took enormous effort and years of dedication (and a spot of luck) to successfully break the encryption algorithm used by Germany. The level of effort required helps us understand why, in the face of ever-increasing cyber attacks, businesses are moving to embrace a standard that regulatory authorities have been urging, and consumers seem to be expecting … sensitive data will be encrypted by those who hold it.
Why encrypt? Writing in Tech Insider, Peter Galvin, vice president of strategy and marketing at Thales e-Security, notes, “The ultimate goal of most malicious actors is to obtain sensitive user information or critical data. Encrypting stored data is one of the most effective ways of thwarting such attacks. Encrypting data at all stages, at rest, in motion and in use is the best way to prevent critical data from being compromised. But it must be done — securely, efficiently and effectively.”
Further making the case, Ambassador Joseph R. DeTrani and Mark G. Fields write in The Hill, “It is time to boost the adoption of encryption tools as a global stabilizer and means to protect the economy that cuts across political agendas and geopolitical interests. Universally strong encryption is a powerful defense, which provides a unique capability to protect the private sector and citizens against malicious data breaches perpetrated by state or non-states actors.”
As for consumers’ expectations, let’s look at the recent breach at British Telecom firm TalkTalk, whose CEO Dido Harding, in discussing the data stolen told The Sunday Times, “It wasn’t encrypted, nor are you legally required to encrypt it. … We have complied with all of our legal obligations in terms of storing of financial information.” Predictably, that response is being skewered by the media and has given rise to outrage among TalkTalk customers.
In the classic 1967 film, “The Graduate,” a wealthy neighbor of Dustin Hoffman’s “Ben” offers him a famous one word piece of advice … “plastics.” Fast forward to 2015. Change the word to … “encryption.”
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
November 3, 2015