Still Leaving Your Data Unencrypted?
“There’s no reason why mobile devices aren’t being encrypted all the time,” says Famida Rashid at InfoWorld, in her analysis of Verizon’s annual Data Breach Investigations Report. In addition to the perpetual lack on this front, the report’s main findings reveal the predominance of malware, especially ransomware (which was the 22nd most common malware type three years ago, and is now 5th today), and email as their primary deliverance vector. Hacking and phishing campaigns continue to be successful, although a key point of the research highlights the differences across verticals. Espionage, for example, accounted for 21% of data breaches studied in the report, but it’s a larger problem for the manufacturing industry than it is for, say, retailers. Retail stores are more likely to be afflicted by point-of-sale attacks instead.
Healthcare, meanwhile, remains second on the list of industries most susceptible to data breaches. Varying motivations aside, ransomware accounted for 72% of malware attacks in this sector, while insiders were responsible for 68% of its data breaches. Certain measures could have prevented a number of these, says the report’s co-author Marc Spitler—ones that we’ve discussed here often in the past, including employee training, activity monitoring, and having a proper response policy in place.
However, all too often, mobile devices of all kinds are left unsecured, inflating their vulnerability. Luckily, it appears that the trend in this area is positive. Across the pond, for instance, the EU’s upcoming General Data Protection Regulation (effective May 2018) incentivizes companies encrypting their data by offering potentially lowered fines for those who do. In the event of a data breach, fines could run as high as 20 million Euros ($21.9 million). If the organization has encrypted their data, privacy regulators will have to take this into consideration, encouraging an atmosphere of encryption as a best practice. No excuses. “The long term reputational damage a company can sustain from data breaches caused by insufficient security make the investment in security certainly worthwhile,” insists Peter Van Dyck, data protection partner with Allen & Overy (Belgium) LLP in Brussels.
Right on cue, reports come in of another stolen laptop, this one belonging to Lifespan Corporation. As is common for this type of security incident, the thief broke into an employee’s car and pilfered the MacBook containing the PHI of over 20,000 patients. Was it encrypted? You probably already know the answer, but no.
In this case, the organization’s response was one of those I just mentioned earlier: training employees and implementing improved security policies relating to laptop storage. Whether or not this includes encryption is unclear.
As long as companies remain slow on the uptake, leaving their most critical data unsecured for any skilled intruder to just come and grab, reports like this will continue to pour in. Not to mention, patients will continue getting notified. Hopefully, though, people are catching on, and Verizon’s next report will show improvement.