Interview: Gemalto's Rana Gupta talks secure breaches, encryption and cyber attacks
Your company's information is always at risk of being stolen, but what if that stolen information is encrypted - and worthless to hackers? We talked to Rana Gupta, Gemalto’s vice president of Identity & Data Protection. He works with customers and partners to understand how data breaches affect business issues — both before and after they happen. Most importantly, he helps customers find a way to solve those problems.
“If an organization has the business need of making use of public cloud services but is concerned about data security and privacy, it is our role at Gemalto to solve this issue by helping the organizations adopt public cloud services while continuing to protect their most sensitive data,” he says.
In April, Gemalto released statistics from its 2017 Breach Level Index, which found that although there are fewer breaches, more information than ever is being stolen. Gupta says this is one of the most terrifying things about the attacks - they’re being far more effective and doing more damage than ever.
He says that the resurgence of ransomware has partly been the cause, as well as extortion and attacks on IoT devices.
“Organizations – especially those who provide critical services, including healthcare and utilities - were willing to pay ransom to avoid losing data or having their systems shut down, simply because they couldn’t afford to halt their operations even temporarily, let alone days. This no doubt had boosted the ego of the cybercriminals and fueled similar attacks.”
“In 2016, we saw IoT-based DDoS attacks for the first time. We expect for such attacks making use of IoT devices to continue growing globally and in APAC,” he says.
“By today, it has been proven repeatedly that connected cars can be hijacked via its internet-enabled telematics box – even Tesla is not impervious to this type of hacking – safe to say we will continue to see more cases of technology-led accidents, highlighting the need to continuously engage in the discussion of security."
“IoT device security works best if manufacturers and relevant parties of IoT devices take ownership of this issue and better secure their devices, instead of leaving them to their customers to handle."
Hackers might keep on hacking, but it doesn’t necessarily have to mean the information they get is worth anything. The secure breach approach, in which hackers take encrypted information that means nothing without the encryption key, is now more possible than ever.
“Having encrypted the data gives the victimized business or individual more time to back up or resolve the breach before any actual damage is made. Although the concept is not entirely new, the technological capability to encrypt data on an enterprise scale and in a centralized way that does not disrupt business flow, is,” Gupta explains.
The only issue is, not many organisations are using the secure breach approach - only 4.2% of breach incidents used encryption.
Gupta says that data encryption underpins secure breaches. Security controls — and user education — can embed protection into the assets - everything from the data center to applications and databases.
Gupta explains that key management is the second critical part: making sure that the secure key never leaves the organisation when it is under attack.
“Encrypting the data without having strong key management would be equivalent to locking your house but leaving the keys under the front doormat,” he says.
Secure authentication is the third part, making sure that those who can access the data and keys are the correct people.
With the dangers of ransomware exposed in the WannaCry attacks dominating headlines this week, it shows the lucrative data that healthcare providers in particular hold. But what are APAC providers doing to prevent attacks?
“While the APAC healthcare sector is taking serious note of ransomware attacks, the question to be asked is whether it is doing anything or enough to tackle the patient privacy and/or the information integrity attacks,” Gupta says.
“The more dangerous attacks can be inflicted by modifying the medical data for patients, leading to incorrect medical procedures without anyone realizing before it is too late. An example can be modifying the details of the patient’s allergies and schedules of medical treatments, which would lead to providing wrong medication altogether, potentially killing the patients,” he continues.
Delving further into the Breach Level Index APAC results, Gupta says that while Asia does have a lack of data breach notification laws, this will soon be changing.
“We are witnessing a change in regulatory environment calling for increasing awareness and raising the reputational stakes. Research has shown that progress on cybersecurity regulation is event-driven. We hope with the cautionary tales such as the Yahoo hack, there will be greater push for regulations for mandatory data breach notification to be passed in Asia,” he says.
He cites The EU General Data Protection Regulation and Australia’s Privacy Amendment Bill 2016 as new laws that may change breach notification, it’s still too early to predict their effects.
“Based on the seriousness of the offence (when companies fail to inform the necessary authorities in the event of a qualifying breach), we see companies listening closely and making plans to beef up their data protection schemes,” he comments.
He says that while organisations’ costs will increase as investment goes up to comply with requirements, this will benefit them in the long run.
“Apart from the monetary loss, there are other intangible prices a compromised company has to pay. In the age of the internet, the consumers’ trust in a business to protect their data can make or break a company,” he concludes.