Data Breach Party – Who’s Paying the Bill?

Published in Broker World Magazine March 1, 2022

If you are the owner or the caretaker of a financial services industry firm, then you have a $4 million plus liability waiting for you—the data breach. The financial services industry collects personal information, financial information, health information, and in some parts like insurance. This is the data the cyber criminals want to steal.

Just to be clear, the information cyber criminals are after are our names, social security numbers, date of birth, and anything that identifies an individual (PII). Next is nonpublic information (NPI), typically financial information encompassing credit cards, bank accounts, loans, and mortgages. Cyber criminals are also after personal health information (PHI). This is any type of information regarding medical conditions, pharmacy, family history and more. These three categories of confidential information are at the center of transacting business in the financial services industry.

According to the IBM 2021 Cyber Security Report, the average breach costs $4.23 million and, if that breach included medical information, it could reach as high as $9.2 million.

Now when we talk about the average breach, what is that? It’s every company that’s reading this article. It only takes (at $148 the average cost of breach mitigation per record) approximately 30,000 records to be stolen. Larger companies rise to mega breach liability, 50 million records stolen with an average cost of $400 million to resolve. These breach costs are typically expensed within the first 12 to 18 months. For more detail on the anatomy of a breach, you can read the entire article discussing these events and their associated cost in the Broker World archive.

Well now, who is responsible for this average breach? Who has to pay $4.2 million? It’s every company reading this article. Federal and state laws hold the firm or organization that collects the user’s data responsible. That means you are responsible for the data breach; you will pay any fines or fees resulting from any legal action. As a company or firm processing transactions on behalf of a customer or client, you are now the data owner—you are responsible for the privacy and security of their information. Engaging a third party to manage that information (Cloud SaaS Vendor) is called the data holder. If a breach occurs at the data holder location, the data holder must notify the data owner but not much more than that. The data owner who outsourced to the third-party SaaS vendor may pay more in fines related to how the data holder secured the information and your failure to do proper due diligence over their operations. Again, to be clear, the data owner (that’s you) bears all the financial responsibility. There are some exceptions to this, such as HIPAA, which, under certain circumstances, can fine the data holder as well.

Inside the company, the CEO most likely accepts the blame for the breach. A third of these CEOs either resign or are fired shortly after the breach. The cyber security community believes the C-Level leadership is responsible because they control the budgets that impact the resilience of their cyber security. IT professionals continually need more technology, which costs more money to protect the data they’re in charge of.

Cyber security professionals face a daunting task; they are fighting a criminal that has the advantage. Attackers according to the IBM cyber security report of 2021, maintain a presence inside the company’s infrastructure an average of 297 days, almost nine months, undetected. Once the attackers get through perimeter security they are now inside the infrastructure. They now conduct reconnaissance, inventory all the assets of the infrastructure, understanding the security in place while always pursuing the highest-level credentials they can obtain. Once inside the infrastructure with credentials they can steal your data. Over the last decade, security professionals have focused on the internal infrastructure called Network Detection and Response (NDR). NDR has proven useful reducing the average stay inside the infrastructure to 222 days. New solutions appearing in the market leverage artificial intelligence to reduce the number of false positive detections making NDR more effective.

Cyber security experts agree that the only defense to the breach pandemic is encryption. Cyber encryption was first deployed when companies wanted to interconnect data systems over dedicated lines, and to secure them they created the Virtual Private Network (VPN). When businesses turned to the Internet for conducting business, they turned to internet HTTPS protocols. Today Google estimates that 95 percent of the Internet traffic is encrypted. Before encrypting the Internet, it was very easy to listen—all you needed was an ethernet packet sniffer and you could collect data real-time. This encrypted traffic is known as “encrypted data in motion,” and, with today’s strong encryption, encrypted traffic has not been cracked.

Once we secured the Internet and before the cloud, most business computing was done at on-premises and co-location data centers. The attackers changed their tactics to stealing hardware, hard drives, and backups. In 2008, Microsoft introduced Transparent Database Encryption (TDE). This symmetrical encryption scheme encrypted the database requiring a login or additional authentication whereby the database would be decrypted and available for use; this is known as “encryption at rest.” With TDE encryption deployed on databases on notebooks, desktops and servers, databases were now protected with strong encryption. This was a significant improvement because if a notebook computer was stolen and the database was protected with TDE security, experts would determine there was no breach. Security professionals agree confidential information with strong encryption provides no access to its contents, therefore the data owner is in safe harbor—no harm.

Now with “encryption at rest” protecting mobile devices, notebooks, desktops and servers, the attackers changed tactics again and started penetrating infrastructures to reach the data in use. This attack surfaced over the last decade and has created the most damage and what we call the breach. Once inside the infrastructure attackers have direct access to plaintext data in databases that support our business applications. The logical next step would then be to encrypt the “data in use.” Unfortunately, if you encrypt data in use your applications will not run. The utility of encrypted data in databases becomes inoperable—no searching, no computations, no productivity. If we could encrypt our data maintained in databases while in use, the attackers would find no value in stealing your data and they would be out of business (e.g., sell your cryptocurrency).

Over the last decade plus, academics and researchers have been working with a new type of encryption called Homomorphic Encryption (HE). The goal of HE is to do computations on encrypted data while the data remains encrypted. In 2009, Dr. Gentry demonstrated the use of lattice cryptology whereby computations could be performed on encrypted data. Dr. Gentry called this variation, Fully Homomorphic Encryption (FHE). Since his disclosure, many technology companies have continued his work on FHE because it was the first that could do both arithmetic and multiplication. Many security experts agree that encrypted data while in use would be the “Holy Grail” of data security.

Unfortunately, FHE is not ready for prime time. It will take a few more decades before a practical use may be realized. FHE suffers from several problems which impact performance, encryption strength, and accuracy. FHE is 10,000 times slower than today’s SQL performance. For example, a SQL query taking 25 milliseconds to execute normally would take 3 ½ minutes in FHE. FHE encryption strength is limited to 128 bits, considered weak encryption by today’s standards. FHE multiplication is limited to integers and small data sets so as not to suffer from execution noise—but we never give up.

I am proud to have worked over the last five years with a group committed to finding a solution to “data in use” encryption. Remaining true to the tenets of homomorphic encryption, this group has created a new solution that allows us to encrypt the database and use it in commercial applications never having to decrypt while in use. This patented technology along with other innovations can now stop the breach, eliminating the attacker’s reason to begin with. This group set out with the real-world security understanding that the attackers are inside the perimeter, the attackers have gotten credentials and that every database query is an attack. This unique privacy enhancing technology will be available soon for anyone to finally secure their data from everyone. It’s zero trust encryption ensures that no single keyholder could access the data, removing implicit trust to data holders, and that data owners cannot be betrayed by internal staff. Application Program Interface (API) access to the data also is secured by zero tolerance threat detection and response quickly isolating attackers and blocking them.

If you are still reading this article, the good news is that the cavalry is just over the hill. In a very short time, you and your vendors will have access to new tools that will stop the reality of a breach and save your company. Remember, it’s always better to be safe than sorry. Let’s stop the breach.