Why Cryptography is Foundational in Delivering Digital Trust

Whether they're running a small startup or at the helm of a Fortune 500 enterprise, every modern executive is thinking about digital transformation. That's because they understand the potential for technology to radically transform their business -- as well as the pitfalls presented by ignoring those possibilities. At its core, transformation is about applying intelligence to data, and using that to anticipate customers' needs and enhance their experience.

Gartner says that 125,000 large organizations are launching digital business initiatives now and that CEOs expect their digital revenue to increase by more than 80% by 2020. IDC expects that the percentage of enterprises creating advanced digital transformation initiatives will more than double by 2020, from today’s 22% to almost 50%. But today's digital economy is at a tipping point; as enterprises require exponentially increasing amounts of customer data to enable transformation, more and more of them are failing to adequately protect that data. And that failure is endangering consumer trust. A 2016 survey by Accenture found that 83 percent of executives believe that trust is the cornerstone of the digital economy.

A similar percentage say a lack of security and data controls would prevent them from sharing data across other companies' digital ecosystems. The consequences of breaching customers’ trust will become more severe as the Fourth Industrial Revolution gains momentum and businesses’ dependency on data grows.

IDC predicts that the amount of data subject to analysis will surge by a factor of 50 in the nine years to 2025, to 5.2 trillion gigabytes. But the increasing frequency and severity of data breaches belies that trust and imperils the transformation efforts of some of the largest organizations on the planet.

From Under Armour to LinkedIn and Marriott, Fortune 500 companies have left billions of customer records exposed, leaving consumers vulnerable to identity theft, account takeovers, and worse. Gartner predicts that by 2020, 60 percent of digital businesses will suffer major service failures due to their security teams' inability to manage risk. Yet the majority of breaches could have been avoided fairly easily, if the companies had only taken basic security measures.

Consider the following examples:

  • When Equifax suffered a massive data breach in May 2017, leaking the personal information of nearly 150 million consumers, the attack went undetected for months, due to an expired certificate inside the consumer reporting agency's intrusion detection software.
  • The biggest data breach in history was Yahoo's loss of 3 billion email addresses and passwords in 2013. Customer records had been protected using a hash algorithm, MD5, that was proven to be vulnerable to attack as early as 2005. (When T-Mobile lost 2 million customer records in August 2018, the data may also have been encrypted using the broken hash algorithm MD5.)
  • Last November Marriott announced that 500 million records had been stolen by external attackers. Though the official cause of the breach has not been confirmed, researchers believe the thieves may have stolen the cryptographic keys used to secure the hotel chain's customer database.
  • Heartbleed, a security flaw in the OpenSSL encryption software used widely across the Internet, left millions of websites vulnerable to attack before it was discovered in April 2014. In June of that year, attackers exploited the bug to steal 4.5 million medical records from Community Health Systems. Even today, thousands of sites remain unpatched.

Data breaches have serious consequences that can linger for years. Customers leave. Lawsuits are filed. Cleanup efforts can cost hundreds of millions of dollars. Share prices plummet. Top executives lose their jobs. And Congress begins rumbling yet again about the need for new federal data-protection regulations. Even worse: if customers don't trust you, they will stop giving you their data, and your transformation efforts will grind to a halt. Gartner reports that one of the single biggest barriers to successful digital transformation is the inability to secure confidential data.

Four questions you need to ask

All of these breaches, and many more like them, could have been prevented or greatly mitigated though cryptographic lifecycle management. A crypto audit would have turned up the expired certificates and deprecated algorithms long before they caused a problem. And even if attackers gained access to your network, modern encryption technology would have prevented them from using the information they had stolen.

But few enterprises have more than a basic understanding of cryptography. And even if they have crypto expertise within their organizations, it rarely makes it up the chain into the C- suite or at the board level where budget decisions are made. As a business leader, you are the shepherd of your customers' data, which may be your company's single most valuable asset. It's your job to keep it safe and secure. To do that, you need to start by asking the following questions:

What risks would a data breach present?

There is no upside to a massive data breach. You could suffer the loss of proprietary information or intellectual property, as well as the erosion of consumer confidence or the trust of the public markets. Aside from being a public relations nightmare, data breaches also bring compliance issues into play. This is especially true if you operate in a highly regulated industry or in the European Union, where you would come under the jurisdiction of the General Data Protection Regulation (GDPR). You need to carefully map out the risks and potential costs associated with poor data governance.

Whose job is it to ensure that your crypto is up to the task?

Someone in your organization needs to be directly responsible for protecting your data from accidental leaks or targeted attacks. Don't automatically assume that your CIO, CTO, or CSO has it under control. Cryptography is a specialized discipline; even certified computer security professionals don't necessarily know much about it. If your organization is large enough, it may need its own Chief Risk Officer (CRO) or Data Protection Officer (DPO).

How do you know that your data is properly protected?

Too many organizations treat encryption as a tick box that needs to be checked. Simply having a crypto scheme in place is not enough. (Just ask Yahoo.) A surprisingly large number of enterprises rely on open source libraries containing a mix of older and newer algorithms, or are using legacy applications that have deprecated schemes hard-coded within them. And some companies don't even know what kind of crypto they're using. Before you can fix what's broken, you need to know what you've got. That usually starts with an audit that identifies every system within your organization where cryptography is used, what algorithms are in place, whether their certifications are current, and where the cryptographic keys are stored.

How agile is your crypto strategy?

Threats evolve, new vulnerabilities are discovered, and crypto algorithms that had been considered secure for years are obsolete overnight. The only true protection against this is to adopt cryptographic agility, which allows your company to pivot away from risks as new exploits appear. For most enterprises, this will not be a trivial task. Depending on the organization and the number of legacy applications it relies on, the transition could take years. But it's less expensive than hard-coding in new crypto, only to be forced to upgrade it again in a few years. And it's far preferable to a costly data breach. When quantum computers are a reality -- and they're already on their way -- even today's most sophisticated cryptographic algorithms could be cracked in a matter of hours. You'll need to be ready to implement new quantum-safe schemes. Crypto-agility is the only way to do that.

Trust is Everything

Digital trust is the foundation for business going forward. If your customers don't trust you to keep their information safe and secure, they won't do business with you. If they're unwilling to share their data, you won't be able to take advantage of the new capabilities and revenue streams that data can help enable. You won't be able to meet consumers' increasing demands for personalization, or to use AI and machine learning to anticipate future market trends. Eventually, more nimble and security-savvy upstarts could leapfrog you. Cryptography can't solve every cybersecurity issue. Your network could be compromised after an employee was fooled by a phishing scheme, or due to lax password management, or because an external attacker exploited an unknown vulnerability in a business app you rely on. Bad things will continue to happen. But if your data is sufficiently encrypted, and you make the effort to ensure your crypto is always up to date and strong, you'll reduce the potential harm by an order of magnitude. That's something every business leader should be thinking about.


Crypto-Agility. Why Now?