Why encryption is no longer enough to prevent data loss

The frequency and cost of corporate data breaches are on the rise.

Many firms are incorporating encryption into their data loss prevention strategies. But simply encrypting network communications and mission-critical data is not enough to provide effective protection from one of the biggest threats to data security.

A study commissioned by IBM in 2015 showed that 33 per cent of firms questioned had adopted encryption as a precautionary measure over the previous five years, rising to 44 per cent following a data breach incident. Yet many of those systems may not be providing an adequate level of protection because they do not take into account threats from within the organisation, be they malicious or accidental.

Most security measures address infiltration of the corporate network from outside threats. But according to a report published in September 2015 by Intel Security, a staggering 43 per cent of data loss can be attributed to actors from within the organisation, either as intentional theft or through the accidental loss of equipment and storage media. Encryption of sensitive data is one strategy against data loss, but to be truly effective, protection must be multilevel and encryption must be continuous, even within the boundaries of the corporate firewall or cloud application being used.

When we looked for such a solution back in 2012, we were disappointed to find that a lot of the products available did not actually provide either the features or the level of security that we required in our business so we set about developing our own. That internal project eventually became the VIPole platform, which launched commercially in 2013.

VIPole offers the highest level of encryption for both communications and storage. A key feature is that it delivers complete, continuous end-to-end encryption. Other encrypted messaging systems either have only client-server encryption or use end-to-end encryption for special modes while, for the most part, data is not end-to-end encrypted. Likewise, VIPole encrypts both storage and network transfers, whereas many other systems only encrypt network transfers. Why is this important? In practice this means that even if a hacker or unscrupulous employee manages to exfiltrate data from within the network, they will not be able to decrypt it. This feature is going to become even more important when the new tough EU rules on data protection kick-in in 2018. Companies found guilty of breaching the new regulations face a potential fine of up to €20m – that in itself gives some indication of the importance that the EU is placing on the secure handling of personal data.

BYOD and mobile enterprise mean that vulnerable data is spending more time outside the firewall and therefore at greater risk. According to Intel Security, 21 per cent of data loss incidents occur as a result of the loss or theft of a mobile device. VIPole was designed for the high-level encryption of important files, but also of other sensitive data that other systems sometimes miss. For example, sent and received files and message history.

If a device is lost or stolen, VIPole’s remote device management tools can be used to wipe data remotely, and VIPole’s on-premises platform also gives system administrators fine control of security and encryption settings on individual devices.

There’s no doubt that with escalating threats to security and privacy, encryption is going to become increasingly important for everyone over the next decade.

Photo credit: Maksim Kabakou / Shutterstock