Data Breach Accountability: Who’s to Blame?

Data breaches have surged in frequency and cost—to the tune of $8 trillion dollars globally in 2023. And this isn’t just impacting the companies who are breached; these costs impact customer trust and contribute to global inflation.

We are also seeing a massive shift in hardline accountability and precedence from the Securities and Exchange Commission (SEC), The Office of the U.S. President, and other regulatory entities for organizations to do more to protect the data they use to run their operations. The impact of cyber-crime and poor cyber controls goes far beyond the cost associated with data loss and ransom attack. Added costs that highlight the greater impact include civil lawsuits, regulatory fines, loss of customers, higher interest rates (credit cards and lending practices), and even the possible arrest of cybersecurity leadership. In summary, the cost of cyber-crime doesn’t stop with cyber liability insurance claims or mitigation costs, they go much deeper into the economic ecosystem.

This financial and societal impact is driving for more retribution. When a data breach occurs, everyone is looking for someone to blame. Because of this demand for justice, CIOs, CISOs or even CEOs often lose their jobs, and with new regulations and legal precedence, could now face more serious legal ramifications. But what if we stopped to consider what, not who, is to blame? It’s right in front of us.


Encryption Adoption Struggles

We know that the best way to secure data is to encrypt it, yet 40% of enterprises globally aren’t employing encryption on archives and backups, and 58% don’t encrypt their client data at all (Statista and Entrust respectively). If large amounts of sensitive data are not encrypted and therefore not secure, data breaches resulting in data theft and ransom attacks will continue to surge. There is no magic bullet that is going to fix this, but we do know that increased encryption adoption will solve a huge piece of the problem for most organizations which will reduce the success and impact of cyber-crime.

Why is encryption adoption so low given that it’s mandated by compliance? Aside from limited security budgets, there is a challenge because we collect data to use data. Traditional encryption solutions don’t support this fluidity or data in use; data must be decrypted to perform create, read, update, or delete (CRUD) functions. This means that every time we need to use a piece of data such as that defined as PII, that has been encrypted, we must:

  1. Decrypt it and convert it to plaintext
  2. House it within accessible storage (RAM, cache, CPU, storage, or processing servers)
  3. Run our query or CRUD (Create, Read, Update and Delete) activities
  4. Re-encrypt the data and move it back into a secure environment

With the fluidity of today’s data usage requirements, this process has proven to be impractical, inefficient, and ineffective. It just doesn’t match the way most operations or applications function.

In addition, this all takes time and resources to manage, and we know time and resources are sparse and very expensive.

For example, this encrypt, decrypt, use, re-encrypt function is not practical for a 24-hour operation such as a global cellular communications company where customer service representatives need to have access to billing and implementation data 24x7x365. No customer wants to wait on hold while a dataset is being decrypted just to ask about a charge on their billing. Then imagine the next rep putting the customer on hold because the database is in an encryption cycle.

This isn’t just a challenge for the telecommunications industry. Think about the challenge within the life insurance industry. They keep vast amounts of sensitive and private data that must be readily available to address life events. Again, this high-availability need is directly in conflict with traditional encryption limitations. And we’re not even addressing hospital functionality, where getting immediate access to patient health information (PHI) can save a life.

Yes, encryption adoption is critical, but it’s not plausible until it is aligned to the fluid nature of data use.


The Evolution of Encryption

The only way to truly protect sensitive, controlled, and private data is to fully encrypt it using the most advanced, adopted encryption methodology. Currently that methodology is set by the National Institute of Standards & Technology (NIST) who recommends Advanced Encryption Standard (AES) 256 bit encryption, referred to as AES-256 (for more information, the Wikipedia entry is a good starting point). It is cited as quantum resistant, although more testing is needed and NIST is exploring quantum ready cryptography as part of a current competition.

AES-256 has become the standard for encryption at rest or in motion (in transit, or in flight). In both situations, the data is static. At rest is obvious, but even in motion, the data is static, it’s the container its within that is in motion. For example, you’re sending an encrypted file. The data in the file is encrypted as it’s static. It must be decrypted for use.

There was a time when the data we collected and kept was for archiving or analytics and encryption at rest and in transit was all we needed. Of course, most operational activity was brick-and-mortar then, too.

Today, we’ve evolved to be mostly digital, and we leverage almost all the data we collect. Just look at how a restaurant works. Yes, you go to a brick-and-mortar location, but the operations such as the reservation, ordering system and payment systems are all cyber. Even the restaurant management systems are all cyber.

Now is the time to adopt a new evolution of data encryption. This is encryption that has evolved to manage fluid, in use data without decrypting the data first. You can search encrypted data and it can be done with no impact to your end user applications or even your existing databases.


Building a Solution

Paperclip Inc.®, a 32-year-old data security and content management integrator, offers a solution that has evolved beyond today’s encryption—keeping data in an always encrypted state, even while the data is in use. This is a disruption to the traditional way we look at encryption of data. The solution is called SAFE, a Software-as-a-Service (SaaS) plug-in that aligns with your existing business applications and database.

SAFE changes the game—no more excuses for cybersecurity leadership. You can now keep your most valuable data away from data theft and data ransom threat by keeping it always encrypted. Even when access controls and authentication break down, even if the keys are stolen, the data is secure. And, when an inside threat actor is waiting for you to decrypt data for use, or discover & classify data, the data is always safe from exposure.

The Paperclip SAFE encryption solution is the only product on the market that uses a foundation built upon Searchable Symmetric Encryption, coupled with Paperclip’s patented data shredding technique and full NIST approved AES-256 encryption backed by two key vaults (data holder and data owner).

As a cloud-based SaaS solution, SAFE is easy to deploy and doesn’t change the way users work within their business applications, and it doesn’t require specialized teams to rearchitect the network environment. In addition to being the only product on the market to take the data beyond traditional encryption, SAFE is lightning fast, meeting the requirements of active, on-demand business use-cases such as customer service, PCI, financial services, and healthcare.

Eight years ago, when Paperclip looked to solve the data-in-use challenge, we looked at format preserving, tokenization, confidential computing, and even Homomorphic Encryption. Those solutions were either too weak, too slow, too expensive, or too complicated to install. In addition, they lacked the crypto agility we needed for long-term use.

That is why Paperclip landed on Searchable Symmetric Encryption. The Paperclip team built SAFE originally to protect the sensitive data we housed and, like you, we needed it to be secure by default, very fast, non-disruptive, and scalable.


A Look to the Future

Cybercrime costs the world economy too much to be considered a simple cost of doing business. It’s become evident that the way we currently architect solutions to protect sensitive, controlled, and private data just isn’t working.

And with the rapid adoption of Generative Artificial Intelligence (GenAI), the risk is outpacing traditional solutions and approaches. GenAI can consume and create sensitive, controlled, and private data faster than traditional security and encryption solutions can keep up with. It’s creating another dataset waiting to be compromised.

The numbers don’t lie—it’s time to take a different approach. Being able to encrypt data at its core while at rest, in motion, and in use will reduce the impact of cyber-criminal success. Network Security Architects, CIOs, CISOs, and other cybersecurity leaders can do more while reducing technology complexity, management, and cost.

You can’t block the threat-actor from getting into your environment, but you can block them from having access to your most prized possessions. Encrypt your data and regain control of your business, because nothing stops business growth faster than a data breach.