Why encryption is failing us

Why encryption is failing us
(Image credit: Pixabay)

Encryption is viewed by many as “bullet proof” technology. Along with antivirus software, organisations swear by it, and consumers feel overly confident knowing that their recent transactions and personal data are encrypted. Despite the confidence around this “go-to” technology, time has shown that encryption is just not enough. In fact, it’s failing us.

About the author

Tom Kellermann is the Head Cybersecurity Strategist at VMware Carbon Black.

History Repeats Itself

A look at recent high-profile data breaches will show us that encryption software either did absolutely nothing to prevent hackers from infiltrating systems, or worse, helped disguise cyber criminals while wreaking havoc in organisations’ systems. 

In September 2017, Equifax announced a data breach that exposed the personal information of 147 million people. During the incident, an attacker was able to crack into Equifax’s system in mid-May and hide within encrypted traffic until the end of July -- more than two months without anyone noticing.

More recently in November 2018, Marriott disclosed a data breach that affected 327 million customers, which in my opinion, was based on a false sense of security in encryption. Hackers had been hiding in Marriott’s system since July 2014, gaining access to a whopping 25.6 million passport numbers in the breach, of which 5.25 million were unencrypted. While it seemed Marriott believed encryption would save the day, the technology was ultimately implemented incorrectly, leaving the organisation's endpoint security blindsided during the breach.

Encryption Alone is Not Enough

Most organisations today invest in encryption due to regulatory mandates, yet they fail to understand that encryption is not “bullet proof” -- rather, it should be viewed as a steel tunnel with two locked doors on either end.  The keys for these doors can and will be stolen. It’s a basic defence that protects data while in transit or at rest, but it shouldn’t be the only thing protecting our medical records, credit scores, bank statements and other digital documents that only we -- and the vendor we choose and trust -- should be allowed to see. 

Think of a criminal breaking into a home. A basic lock on the front door alone won’t stop them from accessing what’s inside. Instead, they look for alternative routes -- side doors, open windows, garages, or even try a skeleton key on the front door.  Mistakes are made in not protecting the master keys.  The cybercrime wave of 2019 is flourishing due to the misconception that encryption is fool proof. 

What Should I Do?

Unfortunately, we as consumers don’t have much control over the types of security defences vendors are using. It’s a flawed trust system, where we can assume organisations have multi-layered defences, beyond just encryption, that will keep hackers at bay. One can guess that large, well-known entities have better protection controls (and a higher cybersecurity budget) than smaller vendors, but as we saw with recent breaches, this doesn’t always mean tightened security.  In addition, these large corporations are being targeted by elite hackers of the Dark Web, which marginalises any proactive security posture. 

When doing business online, there are a few best practices to implement to better protect your information. Make it a point to only share sensitive information if it’s a reasonable request -- for example, an online retail store shouldn’t be asking you for passport details. If they are, it’s a scam. When inputting personal details, ensure the website has https: in its web addresses, as the “s” stands for secure. You also may want to do some homework to ensure the vendor hasn’t had any major security issues as of late and has been recognised for its security. 

I also recommend limiting your exposure by taking these eight simple steps:

  1. Update all software Tuesday nights - this includes apps.
  2. Use security software on all devices. 
  3. Use Firefox for your browser.
  4. Change your home router’s password.
  5. Turn on firewall and use encryption.
  6. Use sentences rather than passwords.
  7. Never use public Wi-Fi or Bluetooth unless you use a VPN.
  8. Never use your debit card online.

We live in a world where most transactions are now done online. While we can take best practices to better protect our information and conduct a due diligence with online vendors, it’s ultimately organisations’ responsibility to realise that encryption alone is not the answer. It will eventually fail them and, in turn, your digital identity will be victimised.  Begin to choose who you do business with based on the seriousness of their security programs, as today, your physical safety is tied to your digital safety.


Tom Kellermann is the Head Cybersecurity Strategist at VMware Carbon Black.

Tom Kellermann

Tom Kellermann is the Head Cybersecurity Strategist at VMware Carbon Black.

Prior to this role Tom was the Chief Cybersecurity Officer for Carbon Black. Tom serves as the Wilson Center’s Global Fellow for Cybersecurity Policy and sits on the Technology Executive Council for CNBC.

Tom previously held the positions CEO and founder of Strategic Cyber Ventures; Chief Cybersecurity Officer for Trend Micro; Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury.In 2008 Tom was appointed a commissioner on the Commission on Cyber Security for the 44th President of the United States. In 2003 he co-authored the Book “Electronic Safety and Soundness: Securing Finance in a New Age.”

From 2007-2015 Tom taught a course on Cybercrime as an adjunct Professor at American University's School of International Service and Kogod School of Business. Tom Certified Information Security Manager (CISM).