for our 12/13 webinar (1PM ET) with leading cyber attorney Robert Metzger on the risks of not complying with DFARS 7012 & CMMC
Our CMMC whitepaper has helped over 2000 defense contractors jumpstart their compliance journey. Check out our updated version for CMMC 2.0.
There’s a false sense of privacy being felt by businesses and consumers using cloud-based services like Gmail and Dropbox to communicate about everything – from their personal relationships, to health information, to financials. Because these services are cloud-based and accessible by password, it’s automatically assumed that the communications and files being shared are secure and private.
The reality is – they aren’t. Users are consistently misled by marketing materials that list services as “secure” and user data as “encrypted” or “protected”. The types of encryption used by these companies do not provide any privacy for a user’s information. Cloud providers use encryption in transit (which protects data as it is sent from the user to the provider) and encryption at rest (in which the provider encrypts user data with a lock controlled by the provider). However, even with both of these types of encryption, the cloud provider retains the ability to access a user’s information, making it more vulnerable to access by others, too.
While these companies don’t necessarily tell you they can read your data, their Terms of Service make this clear. They access it in order to sell advertising or to provide additional services to consumers or businesses. For example, a series of 2014 federal and state privacy lawsuits led Google to finally update their Terms of Service, clearly acknowledging that they read your content (including emails). Most users simply don’t realize they are making this privacy and security tradeoff.
Almost half of all IT services are being delivered by the cloud. As the cloud gets bigger, it becomes a larger and more attractive target – especially as companies capture and store important data there.
Because of this, cloud providers are increasingly becoming the central point of attack for hackers. By targeting cloud service providers, hackers are able to access data from multiple companies at once and carry out those attacks from anywhere in the world.
Even if you’re not the intended target, if a service provider is breached, your data can be exposed. The vast majority of cloud-based services have this fundamental design vulnerability. Because these services can access user data, it’s not possible to guarantee that the data can’t be seen by an attacker as well. Using any cloud-based service that doesn’t have the right tools in place, such as end-to-end encryption, is effectively like handing your phone to a complete stranger.
New encryption methods such as end-to-end encryption are one solution to protecting your data, ensuring that only the intended recipients are able to decrypt the business information you are sending. With end-to-end encryption, nobody else can read a user’s information – not even the service provider.
These tools will be incredibly effective in protecting data – but only if they are actually used. In fact, 45 percent of IT personnel knowingly circumvent their own security policies. So, the encryption strategies and tools used to protect information must allow for “no exceptions”—e.g., providing no risk that IT personnel can expose their enterprises to attacks. It helps, too, if knowledge workers are able to encrypt their emails very easily, with little to no learning curve involved.
Encryption methods are most effective when used in conjunction with well-aligned internal policies. Decentralize access to data when possible, minimize or eliminate accounts with privileged access, and carefully consider the risks when deciding to share data or use SaaS services.
In doing so, companies and consumers alike can be empowered to ensure that their data is their business – and their business only.