You could simply protect the whole thing. By default. All the time. The data itself would be “secure by default”. Interested in learning more about
10 Data points in support of Zero Clear Text PII
Clear text PII presents lots of risks. If the technology exists to support its obfuscation at all stages of its lifecycle, especially while in-use, zero clear text should become an item of basic security hygiene across enterprises.
But Top 10 lists can be fun and informative. So why not compile one in support of zero clear text PII.
(Data sources are mentioned and compiled from articles that are publicly available. Several of these were included in Varonis’s list of cybersecurity facts that is publicly available):
- Data breaches are at an all-time high. The last 12 months have seen over 8B clear text PII records exposed through breaches. Not having PII in clear text anywhere in its lifecycle would reduce the impact of breach. (Data Source: Titaniam research)
- Hackers attack every 39 seconds, on average 2,244 times a day. Enterprises are under attack. The crown jewels are in the form of data. Not having it in clear text improves the odds of not compromising it. (Data Source: University of Maryland)
- The average lifecycle of a breach was 314 days, from the breach to containment. If attackers are in there for that long, and they stick around using all the tricks in the book including encryption and other forms of obfuscation, defenders need to take a page from their book and get as far away from clear text as possible. Redact, tokenize, mask, encrypt and when those are not possible, entangle (obfuscate). (Data Source: IBM)
- 34% of data breaches involved internal actors. The source cited here places it at this number. Other sources (i.e. Gartner) go as high as 98% for cloud breaches. Internal actors are one of the strongest reasons enterprises need to move swiftly to obfuscate all sensitive data-in-use. (Data Source: Verizon)
- 53% of companies had over 1,000 sensitive files open to every employee. This is another strong reason to support as much data handling, manipulation and analytics on non-clear text data as possible. If they don’t need to see the clear text PII, they should not. (Data Source: Varonis)
- Companies reportedly spent $9 billion on preparing for the GDPR. That is a lot of investment in controls that cover a tiny 2% of the data lifecycle. 98% of the time sensitive data is in use in clear text. It would take a small fraction of this investment to protect the data regardless of its state, and let all downstream applications be private and GDPR compliant by default. (Data Source: Forbes)
- 15% of breaches involved Healthcare organizations, 10% in the Financial industry and 16% in the Public Sector. That’s our medical records, our financial records and our identity data that resides with the government. Should it really be accessed and manipulated in clear text? (Data Source: Verizon)
- The estimated losses in 2019 for the healthcare industry were $25 billion. This is a staggering number. 2020 has seen our healthcare industry bear the burden of the pandemic as well as become the top target for attackers. Providing efficient and cost effective methods to safeguard PHI is of utmost importance. Zero clear text PHI is possible, affordable, and should be set up as a default. (Data Source: SafeAtLast)
- The financial services industry bears the highest cost from cybercrime at an average of $18.3 million per company. This vertical is a strong investor in cybersecurity but this has not improved the lost of PII. This is not a flaw with the industry but rather a reflection of the nature of how PII needs to be transacted and manipulated in this vertical and the sheer volume of it that needs to be gathered, processed and analyzed. (Data Source: Accenture)
- Perhaps the most important reason to get to zero clear text PII is because it is finally possible.
Interested in learning more about how Titaniam can help? Get started today with a demo
10 Data points in support of Zero Clear Text PII Clear text PII presents lots of risks. If the technology exists to support its obfuscation