What companies need to start doing to keep their customers safe from data theft
As cyber attacks have become more prevalent, piles of company information and client data is stolen each year.
In 2014, over 700 million records were stolen. The threat of the attacks has become almost ordinary. Many companies that hold sensitive data don’t even do the bare minimum to protect it from hackers. They don’t encrypt the data, leaving it open for adversaries to exploit.
Although it’s clear companies need to encrypt data further to stop hackers, right now, governments are trying to stop them from doing it. The US and UK governments are threatening to ban encryption, because they say having access to data will help to thwart terrorist attacks or other serious crimes. In this article, we speak to the growing frequency of cyber attacks, while arguing that companies have a duty to encrypt data and provide security to protect customer’s personal data from being compromised, even if it seems it could disrupt national security.
Security breaches and data compromised
According to The 2015 Information Security Breaches Survey, 90% of large companies in the UK reported some form of security breach, up from 81% last year. A report from the Identity Theft Resource Center found 781 breaches in the US, which is the second highest number of attacks since it began tracking in 2005.
Each year, a number of high-profile scandals arise in which customer and internal records are lost, employee records are compromised, or customer data is stolen.
In June 2015, the United States Government Office of Personnel Management fell victim to a data breach, exposing the sensitive information of 22.1 million people. This was the second data breach in 2015; earlier, 4.2 million employees’ data was stolen. US officials said the hackers not only accessed personal records of employees, but also the information of people they listed as references for some of the most secretive jobs in the government, a huge concern for national security.
The same month, British telecommunications company TalkTalk was hacked and 157,000 customers’ information was stolen. The hackers demanded ransom from the company.
Encryption is something communication companies need to offer
Companies have a duty to encrypt their data. It’s the best way to achieve data security because hackers can’t access it. To read encrypted information, someone must have a password to decrypt it and turn it to plain text.
It’s a treasured tool to protect data, but many companies don’t utilize it.
According to a Sophos survey, half of larger organizations (501-2000 employees) encrypt extensively. But only 38% of smaller organizations (100-500 employees) do. Even TalkTalk admitted to not having their data encrypted. But why didn’t they?
Sophos cites lack of budget, performance concerns for users, and lack of encryption knowledge as the top three reasons. Encryption has a reputation for being expensive and complicated, but finding the right IT partner to help companies through the process will help them to navigate smoothly, recommends the survey.
Government operations versus encryption
Although this lack of encryption is concerning, there are large corporations who take encryption seriously. Apple, Microsoft, and Google encrypt many products automatically, a move made following Edward Snowden’s NSA revelations.
But, law enforcement and governments aren’t having it.
A bill in New York wants to ban the sale of encrypted smartphones that can’t be unlocked by a manufacturer to make it easier for law enforcement to access data on smartphones and thwart terror attacks. A bill in California calls for the same, but their reasoning is to fight human trafficking.
A UK bill nicknamed Snooper’s Charter wants to make it legal for police to track online activity through platforms like email, WhatsApp, and Skype. It will also make it illegal for telecommunications companies to not hand over user data to police or government. Additionally, staff at social media companies could get up to 2 years in jail if they let their customers know they are being surveilled.
Microsoft, Twitter, Apple, Yahoo, and Google sent a letter to Home Secretary Theresa May saying they would oppose the UK bill.
“Now, we have a deep respect for law enforcement, and we work together with them in many areas, but on this issue we disagree. So let me be crystal clear — weakening encryption, or taking it away, harms good people that are using it for the right reasons,” said Apple CEO Tim Cook at an Electronic Privacy Information Center event in 2015.
“And ultimately, I believe it has a chilling effect on our First Amendment rights and undermines our country’s founding principles.”
As governments pressure leaders from the Silicon Valley to fork over information in the interest of national security, the NSA has a surprisingly positive stance on encryption.
NSA Director Adm. Mike Rogers says end-to-end encryption is necessary for the future of America, arguing that whether or not we should do away with it for the sake of national security is a waste of time.
“So what we’ve got to ask ourselves is, with that foundation, what’s the best way for us to deal with it? And how do we meet those very legitimate concerns from multiple perspectives?” he said to the Washington D.C. think tank, the Atlantic Council. “We’ve got to meet these two imperatives. We’ve got some challenging times ahead of us, folks.”
The future of encryption
Security has become more imperative than ever. Businesses, however, aren’t always able to keep up with their growing use of tech, leading them to lag behind in encrypting data, even if they have good intentions.
According to the same Sophos Survey mentioned earlier, 97% of organizations polled already use encryption to some degree, or plan to implement it in the future. 69% plan to do it in the next 1-2 years, and only 5% of companies think they don’t need to.
The numbers are promising, and show that businesses see a need for encryption (although maybe not an urgent one), but we’ll have to wait and see if companies’ intentions develop into actions, fulfilling their duties of encrypting data to protect both customer, employee, and company data from being compromised.
Nicholas Kyriakides is the Co-founder and Chief Operating Officer at netTALK. He is also an adjunct faculty member in the business school at Miami Dade College and Broward College. NetTALK allows for free Duo-to-Duo international calling.