Like the proverbial “death and taxes,” cyberattacks and data breaches seem to have become an inevitable part of life. In the first half of 2020 alone, 540 reported data breaches impacted over 163 million people.
While this represented an improvement over the first half of 2019, maintaining data security will remain a challenge into the foreseeable future. The proliferation of entry points – from wearables and home networks to ever-more-prevalent Internet of Things devices – along with the growing sophistication of hackers, who now leverage machine learning and other advanced technologies, will see to that. Indeed, as the authors of a recent global risks report issued by the World Economic Forum write, “What would once have been considered large-scale cyberattacks are now becoming normal.”
While everyone is vulnerable to cyberattacks, everyone also seems to assume that someone else is responsible for protecting their data. A PwC survey of consumers reported that 92% of respondents expected companies to be proactive in protecting their data. Naturally, only 25% of those consumers believed companies were doing so. (It’s worth noting that 87% said they would make a switch if they thought a particular company wasn’t handling their data properly.)
Consumers are not alone in shifting responsibility for data protection to others. Many companies and their business partners – third-party vendors, SaaS providers and the like – essentially do the same. They, too, rely heavily on contractual agreements to safeguard themselves in the event of a data breach and, should one occur, are quick to sue their partners. Recognizing the likelihood that a lawsuit will result from a breach, insurance companies suggest a range of products to minimize the liability of IT vendors and others.
This circle of distrust could be broken if forward-looking companies and the third-party vendors who serve them both chose to address the problem. Specifically, adopting effective end-to-end encryption technology could dramatically reduce the risk of private data being exposed – and provide a business boost to all of those who use it.
Cybersecurity tools: A ‘market for lemons’?
One might ask, why, given the plethora of cybersecurity tools on the market, more organizations don’t simply invest in protecting themselves and others?
A new report by Debate Security provides a provocative answer to that question. They start with the claim that most buyers don’t do a thorough analysis of the effectiveness of the security products they buy. As a result, vendors have no real incentive to improve the effectiveness of the products they bring to market. When buyers don’t vet products, and vendors feel no pressure to improve them, you end up with what economists call a “market for lemons.” Once vendors sense that better, more powerful products won’t sell any better than their lower-quality alternatives, that’s what the market will get.
The Debate Security report concluded that government regulations may be the only way to solve the issue. And we have seen an upsurge in actions by European governments and others to mandate the protection of their citizenry from privacy violations. Interestingly, given the very real threat that regulatory intervention may disrupt data exchanges that tech companies and others depend on for their business (see our earlier blog post on this issue), companies now have a great incentive to find an effective technological solution to the problem of comprehensive data protection, one that ends the blame game and keeps private data from being accessed.
Without the much-needed technology, the best that companies can do is to rely on the concept of “shared responsibility” promoted by AWS. And this can help organizations delineate the security obligations of different stakeholders when they access cloud resources, for example. In this schema, generally speaking, the cloud provider will be responsible for infrastructure-related security measures while the users are responsible for securing the data uploaded to the cloud.
Shared responsibility, however, isn’t really scalable. The actually shared responsibilities can vary from provider to provider and, in some cases, feel unnecessarily confusing and complex. What’s more, as noted in a recent Security Boulevard article, “There may be gaps between where vendor responsibility ends and user responsibility begins – gaps still big enough for hackers to execute send the worst kinds of attacks directly in the cloud.”
We need comprehensive data protection technology that works
For companies, third-party vendors and cloud providers, protecting data across the lifecycle with end-to-end encryption, no matter where it’s stored or when it’s accessed, can solve this problem from both sides.
From a company’s perspective, a method that keeps data encrypted throughout its lifecycle provides real peace of mind. Whether a third-party partner has adequate encryption technology becomes less of an issue (though, frankly, it should be concerning). If data is encrypted during migration to a cloud provider and all the while it’s stored there, there’s little need to hide behind legal agreements or worry about complying with governmental regulations. (And let’s be honest these agreements and regulations only determine penalties after the fact; they don’t prevent data breaches or data loss.)
For cloud providers, SaaS providers and other third-party vendors, the same technology represents a competitive advantage in the marketplace. Being able to protect user data with encryption at rest, in transit and in use can attract hesitant or overly cautious users. It also increases trust between vendors and clients, while alleviating the need to draw up complex legal agreements defining roles and assigning damages if things go south.
To be truly effective, such a solution must be scalable, database-agnostic and deployable either in the cloud or on-prem. The full range of technologies that handle sensitive data and the number of partners that companies rely on today demand this kind of flexibility.
As long-time veterans of the data industry, we at Sotero are very familiar with the challenges of data protection and the pressing need for a comprehensive solution that not only works but is scalable and easy to use. That’s why we created Sotero Protect and Sotero Opaque. We are aware of the limitations of existing solutions and, more importantly, don’t believe organizations should settle for lemons. Let’s talk.