Mind the data security gap: why current solutions aren't working

02 Sep, 2020 4 min read
Nigel Thorpe
Nigel Thorpe
Technical Director
You only need to look at recent headlines to realise that data is still being stolen – the Russians allegedly stealing Covid-19 vaccination research for one. Organisations spend millions on IT security - identity and access management, full disk encryption and data loss prevention, to mention just a few technologies that many resellers have in their portfolios. These are all great and necessary, but clearly, there are still gaps between systems.

Limitation of full disk encryption to protect data from being stolen

Often, when introducing the idea of file-level encryption to CISOs and CIOs, we hear, ‘But we already encrypt all our data’. When probed further, it turns out that what they mean is that they have full disk encryption. It’s shipped as part of Windows (Bitlocker), and there’s a variety of products that help organisations to manage the technology.

The problem is that disk encryption is all about protecting data when it’s on a specific piece of hardware. Now, if you’re a cybercriminal and you’ve successfully compromised a legitimate user’s account – Twitter’s recent woes seem to have stemmed from this kind of criminal access – then you simply take a copy of all those company-in-confidence files out of the organisation’s network. Full disk encryption will happily hand over the goods, carefully removing the encryption on the way – no questions asked.

Limitation of outsourcing data protection to the managed service providers

As for managed services, the customer is essentially outsourcing data security to the provider, typically by smaller organisations lacking their IT departments. But have you considered what happens when the managed service provider (MSP) gets hacked? An article in 2022 has cybersecurity experts raising concerns about an individual on a hacker forum who claimed to have access to 50 American companies through an unnamed managed service provider (MSP).

Cybersecurity agencies have mentioned MSPs as potentially vulnerable access points for cybercriminals like hackers to exploit in recent years because they hold data for multiple organisations, so it’s a one-hit hack with a bumper payoff.

Solving data security gaps with file-level encryption

This all nicely illustrates the issue with the common approach to data security: information is stored in ‘security silos’ where it is deemed to be protected. It’s a lot like putting cash into a safe. When a cybercriminal takes data out of its ‘safe’, it loses all its protection.

So, here’s the opportunity for the channel – look into solving the security silo problem for your customers who don’t want a brand-damaging, embarrassing and costly data breach. And the solution? Your customers should take a data-centric approach to security by deploying 100% file encryption – every file, every place, every time. Yes, everything. After all, that’s what organisations are trying to do with disk encryption – it’s just that it’s not implemented in a way that actually secures data when it is stolen.

File-level encryption works all the time by building both authentication and security into data so that it becomes an inherent part of every file. This way, if the information is stolen – taken out of its security silo – then it remains encrypted and therefore useless to the data thief. It’s a little like a very sophisticated way of password-protecting every file – but working silently in the background and without annoying the user, plus much, much stronger security.

By protecting all files, all the time, no matter where they are stored or copied, stolen data is rendered useless. Legitimate data users, however, must not be aware that any of this security is going on. If you ask users to make security decisions, they will often go with the choice of least resistance – which is usually the least secure.

This approach also resolves the potential problems for MSPs because the customer is now taking responsibility and control over their data security. So, no cloud service misconfiguration or rogue MSP administrator will result in a data breach, because all data is encrypted by the customer, not the MSP.

And the best bit is that this also solves the age-old problem of insider data theft. Even where a user has legitimate access to information at work, if they steal data it will remain encrypted. No General Data Protection Regulation (GDPR) fines, no embarrassing headlines, no legal action.

By implementing a 100% file-level encryption approach using SecureAge Security Suite, you can finally take control of data security – no matter whether the data is held in their network, with an MSP, or at an employee’s home. Get in touch with our representative today to see live in action how SecureAge Security Suite works.

Our website uses cookies to ensure you get the best experience and can find what you need. Read our cookie policy