According to esecurityplanet.com, a compilation of data breaches in Q2 of 2014 has seen more than 175 million customer records exposed. Of those, only 1% represented a situation where strong encryption prevented the data from being used.
But, isn’t that expected due to the nature of what’s being reported? In other words, aren’t we dealing with a “Dewey is President of the US” scenario?
Encryption is Important, Works as Designed
The importance of encryption software as a deterrent to data breaches is unparalleled. This week we saw how Apple and other companies are pledging to make more use of encryption to protect their clients’ data – and more importantly, the reaction from law enforcement (I won’t say they freaked out] but they certainly were not happy about the announcement).
The truth of the matter is that encryption works (assuming it’s been designed and implemented correctly – which is the reason why the US federal government can only use encryption solutions vetted by NIST and given FIPS validation. For example, AlertBoot’s solutions use encryption that have obtained FIPS 140-2 certificates).
Another truth: people don’t use it as much as they should be. And not just to make things hard for the government, but because there is a real problem of people collecting data on other people and using it for fraud and other nefarious purposes.
However, the numbers are not as dire as that reported by esecurityplanet.com. Indeed, most surveys show that the use of encryption – while varying wildly depending on the industry and who ultimately controls a data storage device – tends to be in the double digits, anywhere between 25% and 50% (or even much, much higher).
So what’s going on with esecurityplanet.com‘s numbers?
Dewey Defeats Truman
Basically, it comes down to what your data samples are. To give a historical example, in 1948 the Chicago Tribune publicized on the day after the US presidential election that “Dewey Defeats Truman” despite the results being quite the opposite. While there were many reasons for this blunder, among them was that opinion polls had predicted a Dewey victory.
And the reason why the opinion polls got it wrong? Well, it was a nascent industry at the time but I have heard that some publications were asking readers to “send in their votes”…and the readers of these publications heavily leaned towards Dewey. In other words, the poll wasn’t scientific at all; the sample was biased.
Likewise in the esecurityplanet.com numbers: most countries and industries give the users of encryption software “safe harbor” from the obligation of publicizing a data breach. That means that most data breaches you read about you only read about because encryption was not used (let that sink for a second).
No wonder less than 1% of these data breaches involve a situation where strong encryption – or any type of encryption – was used. It’s essentially a self-selecting group of non-encryption users.
Related Articles and Sites: