Monthly Archives: April 2023

The data is in the cloud, but who’s in control?

Ponemon Institute is pleased to present the findings of the 2022 Global Encryption Trends Study, sponsored by Entrust. We surveyed 6,264 individuals across multiple industry sectors in 17 countries/regions – Australia, Brazil, France, Germany, Hong Kong, Japan, Mexico, the Middle East (which is a combination of the respondents located in Saudi Arabia and the United Arab Emirates),2 Netherlands, the Russian Federation, Spain, Southeast Asia, South Korea, Sweden, Taiwan, the United Kingdom, and the United States.

The purpose of this research is to examine how the use of encryption has evolved over the past 17 years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for a U.S. sample of respondents. Since then we have expanded the scope of the research to include respondents in all regions of the world.

Organizations with an overall encryption strategy increased significantly since last year. Since 2016 the deployment of an overall encryption strategy has steadily increased. This year, 62% of respondents say their organizations have an overall encryption plan that is applied consistently across the entire enterprise, a significant increase from last year. Only 22% of respondents say they have a limited encryption plan or strategy that is applied to certain applications and data types, a significant decrease from last year. The average annual global budget for IT security is $24 million per organization. The countries with the highest average annual budgets are the U.S. ($41 million) and Germany ($28 million).

Following are findings from this year’s research

Enterprise-wide encryption strategies have continued to increase. Since conducting this study 17 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. In this year’s study, 61% of respondents rate the level of their senior leaders’ support for an enterprise-wide encryption strategy as significant or very significant.

Certain countries/regions have more mature encryption strategies. The prevalence of an enterprise encryption strategy varies among the countries/regions represented in this research. The highest prevalence of an enterprise encryption strategy is reported in the United States, the Netherlands, and Germany. Although respondents in the Russian Federation and Brazil report the lowest adoption of an enterprise encryption strategy, since last year it has increased significantly. The global average of adoption is 62% of organizations represented in this research.

Globally, the IT operations function is the most influential in framing the organization’s encryption strategy. However, in the United States the lines of business are more influential. IT operations are most influential in the Netherlands, Spain, France, Southeast Asia and the United Kingdom.

The use of encryption has increased in most industries. Results suggest a steady increase in most of the 13 industry sectors represented in this research. The most significant increases in extensive encryption usage occur in manufacturing, energy & utilities and the public sector

Employee mistakes continue to be the most significant threats to sensitive data. In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests.

Most organizations have suffered at least one data breach. Seventy-two percent of organizations report having experienced at least one data breach. Twenty-four percent say they have never experienced a breach and 5% are unsure.

The main driver for encryption is the protection of customers’ personal information.
Organizations are using encryption to protect customers’ personal information (53% of respondents), to protect information against specific, identified threats (50% of respondents), and the protection of enterprise intellectual property (48% of respondents)

A barrier to a successful encryption strategy is the inability to discover where sensitive data resides in the organization. Fifty-five percent of respondents say discovering where sensitive data resides in the organization is the number one challenge and 32% of respondents say budget constraints is a barrier. Thirty percent of all respondents cite initially deploying encryption technology as a significant challenge.

No single encryption technology dominates in organizations. Organizations have very diverse needs for encryption. In this year’s research, backup and archives, internet communications, databases, and internal networks are most likely to be deployed. For the fifth year, the study tracked the deployment of the encryption of Internet of Things (IoT) devices and platforms. Sixty-three percent of respondents say IoT platforms have been at least partially encrypted and 64% of respondents say encryption of IoT devices has been at least partially deployed.

Certain encryption features are considered more critical than others. According to the
consolidated findings, system performance and latency, management of keys, and enforcement
of policy are the three most important encryption features.

Intellectual property, employee/HR data, and financial records are most likely to be
encrypted. The least likely data type to be encrypted is health-related information and
non-financial information, which is a surprising result given the sensitivity of health information.

To read the rest of this report, and find out how organizations are using encryption to protect data and workloads across multiple cloud platforms, visit Entrusty’s website at this link.

Dealing with Twitter’s 2FA downgrade? Don’t make this mistake

Bob Sullivan

Twitter has followed through with its half-baked plan to turn off two-factor authentication for (millions of?) non-paying users, leaving them half-naked to the vast criminal underground. If that’s you, you’re looking at not-very-good choices right now, but doing nothing might be the worst of all. I’m seeing reports of people getting hacked almost immediately, which you would expect, given the long lead time criminals have had to prepare for this day when many accounts would suddenly be one password away from compromise.

The only practical answer for most people who wish to continue to use Twitter without paying for SMS security is to enable a free token generator tool like Google Authenticator. I recommend you do that, too, rather than remain out there half-naked. Twitter has haphazardly implemented this massive security change in the most unprofessional and ineffective way, putting all the onus on users — messages this week even tell users “you’ve turned off two-factor authentication,” which is quite an abuse of the English language. It would be understandable, even responsible, for these users to rush into installation of an authenticator. But take please heed of the advice I’m about to give or else, I promise, sometime in the next 10-500 days you’re going to have a Hellish time recovering from loss of access to your account.

 

In short, if you lose your phone, or it’s damaged, or you lose access to that authentication code for any reason, you may very well lose your Twitter account forever. The only thing standing between you and that very frustrating day would be a massive increase in Twitter customer service spending, and I can just about promise you, that’s not happening.

Many authentication tools have a big implementation flaw: they don’t have a user-friendly failover plan. This is because tokens have a damned-if-you-do-and-damned-if-you-don’t quality. Google Authenticator does NOT allow you to create backups. Why? Backups could be accessed by hackers, rendering the entire security protocol insecure.

You’ve seen, and used, the “forgot your password?” link many times. It’s a way of dealing with perhaps the most common roadblock on the Internet — users are told not to re-use passwords, so they forget all these newfangled passwords they use. They’re told to use password managers (a good idea!) but then they lose access to that manager or something else goes wrong. No worries: ‘Forgot your password’ usually fixes things quickly. But it’s also the weakest link in many security implementations (Here’s my 15-year-old story about that!). Criminals with just an email address can request a password reset using ‘forgot your password,’ so it creates quite a dilemma for tech companies — how do you service forgetful users without making things easy for criminals?

Authenticator implementations go a new route, effectively eliminating the customer service part of this risk equation.

If you can’t access Google Authenticator…you can’t log in. You can’t write to the app or website and ask for a new authentication code the way you use “forgot your password.” You are…just stuck. If your phone is stolen, you can’t generate the code you need to log in. Period. As I described in my story about recovering Rusty’s Instagram account, you may very well be in for months of frustration trying to recover your account some other way. Some other way, like this “prison photo” I had to take of myself.

Unless you’ve prepared ahead of time. Many sites which use authenticators create their own backup systems — often, one-time codes that the app generates which can be used as a kind of get-out-of-jail-free card. Twitter, at the moment, lets you generate one such code. To find it, for now, go to “Security and Account Access” then “Security” then “Two Factor Authentication” then “Backup Codes.” Then — and this is CRITICAL — take a screenshot of that code or write it down and put it someplace you’ll remember for the inevitable day that you’ll need it.

WARNING: YOU CANNOT GENERATE THIS CODE AFTER YOU’VE LOST ACCESS TO YOUR ACCOUNT!! You MUST take this step RIGHT NOW, as soon as you implement an authenticator app.

As you re-read that section of this story, I’m sure you’ll see this as I do. There’s about a zillion ways human beings can get this step wrong, and will get this wrong. I predict Twitter will relatively soon be overwhelmed with account recovery requests that it cannot handle. That’s precisely what happened to Instagram/Facebook with authenticator tools. Desperate Instagram users write to me every day trying to regain access to their accounts. I predict this is going to be a far bigger issue for Twitter than account hacking.

For what it’s worth, in Instagram’s case, I believed I *had* copied the backup codes (three years prior) when I turned on 2FA after a hacking attempt from Russia; the codes I had didn’t work. So I think it’s quite possible consumers who don’t create backup codes, or don’t copy them down, or can’t find them the day they need them, aren’t the only potential pitfall of this system.

Meanwhile, if you are thinking, “I’m supposed to write down a secret code on a post-it note and leave it where I can find it as a login procedure? Isn’t that what they told me NOT to do 30 years ago?” you aren’t alone.

To be sure, there are *better* ways to implement an authenticator-based two-factor system. After my phone was stolen, Substack had me fill out a form and I engaged with a customer service representative over email who verified my identity manually. That worked just fine within a day or so. Twitter could, in theory, do this. It won’t. It will be too expensive. Far more expensive than the cost of those pesky SMS text messages that Elon just turned off out of spite and desperate penny-pinching.

Were the implementation responsible and well-planned, I would cheer for the end of SMS-based authentication. It’s not particularly safe, though it is far, far safer than password alone. Switching to a “something you have” model is truly a good long-term goal. But turning off two-factor en masse is crazy, as is hurtling a bunch of unprepared people into token-based authentication world.

BOTTOM LINE: If your two-factor authentication setup has been turned off by Twitter, take 10 minutes to turn it on now, but DON’T sprint past the backup method. I wish I could give you universal instructions to do this. I can’t, really. Everyone’s setup and needs are different. Just ask yourself: What would I do if I lost my phone? For a little more help, here’s a good CNET story about the right way to turn on authenticator on an up-to-date iPhone.

Also, there are alternatives to backup-limited tools like Google Authenticator. Microsoft Authenticator backs up accounts in the cloud — i.e., if you lose access to your phone, you can re-download the authentication generator. I have not used it so I cannot recommend it. Twitter also recommends Authy, Duo Mobile, and 1Password; each of them have their own backup options and quirks. I’ve linked to their backup explainer pages. But whatever you do, don’t just add an authentication app today and move on. You’ll regret it.