Do we have enough data breaches?
Do we have enough data breaches?
That may be a question that you’ve never heard before. Instead, attention usually focuses on the massive amount of sensitive personal information that’s lost through data breaches and the ways to address the problem. It’s certainly possible to reduce the amount of sensitive data that’s lost. You can encrypt storage devices like laptop hard drives and backup tapes, for example, so that if the storage is lost then the sensitive data that it stores isn’t available to whoever ends up with the device.
The question that’s rarely considered is whether or not this is actually worth doing. After all, many forms of encryption are expensive and hard to use, so it might be the case that the cost of encrypting your storage is greater than the damage that losing the stored data will cause. There’s also the question of availability to address. If you can’t decrypt data that you’ve encrypted, your encryption hasn’t just protected the sensitive data from hackers – it’s also cryptographically shredded it and made it unavailable to you also.
This is much like the situation that auditors face when trying to eliminate fraud. With no controls in place, you’ll probably have lots of losses due to fraud. At the other extreme, you can have extremely strict controls in place, but you’ll find that you’re spending more on the controls than the fraud that you’re eliminating. So there’s an optimal amount of fraud, and auditors don’t expect you to have controls that reduce fraud past this optimal level.
In the case of protecting sensitive data, we have a very similar situation. With no controls at all in place, it’s likely that all of your sensitive data will find its way into the hands of hackers. At the other extreme, you can have extremely strict information security measures in place. But in this situation you’ll find that the costs imposed by the higher level of security is extremely high, and you’re better off without such draconian measures. So you also need to find the point where the cost of the security measures isn’t too high, but the amount of sensitive data lost also isn’t too high. And just like auditors don’t try to reduce fraud past the optimal level, you shouldn’t try to reduce data breaches past the optimal level either.
This means that it’s certainly possible that you’re not having enough data breaches, and that it would make sense to reduce the level of security in your organization until you find the right balance between data loss and the cost of your security measures. This is almost certainly not the case. Most organizations still don’t encrypt much information, and this is probably because some forms of encryption are indeed hard and expensive to use. If you’ve only looked at those technologies, then you might have come away with the impression that it was better to not use the technology and to take the risk of losing data.
Fortunately, encryption technology has gotten much better in the past few years. It’s now simple enough to use that the costs of supporting it make it reasonable to use in more cases than before. Key management technology has also gotten better, so you can be sure that you’ll be protecting your data with encryption instead of shredding it. So if you once looked at encryption as a way of protecting sensitive data and decided not to use it, it might be worth looking at the newer technologies. They’re much better than they once were, which means that it’s now cost-effective to use them in ways that it wasn’t in the past.