I was reading a blog the other day and the question presented to readers was do you believe adoption of end-to-end encryption technology throughout the payments industry is the panacea to protecting personal information?
Some experts have indicated that end-to-end encryption is the way to protect sensitive and personal information from being hacked in situations like TJX and Heartland Payment Systems and others. The Ponemon Institute even released a new survey (sponsored by PGP – an encryption company) saying that their research shows that breaches are more expensive and can lead to losing customers and indicated that a strategic and more holistic use of encryption is the technology most implemented after a breach.
While I am not against encryption as a way to protect unauthorized access to sensitive and personal information, I am not convinced that increasingly sophisticated ‘bad guys’ who have successfully infiltrated an organization’s network and their servers will have much problem accessing encrypted data.
No doubt technology is needed in securing sensitive and personal information, but implementing more technology is not the answer unless your goal is to keep out the novice ‘bad guys’.
Better results will come from better decisions which require better knowledge at the individual level.
Implementing individual-level knowledge so individuals (technical, non-technical, management, vendors, contractors, etc.) can make better decisions is the key to addressing a much bigger problem – ‘people, process and technology gaps’. Organizations can have the best technology money can buy, but lack of awareness (of customized and organization specific knowledge) and lack of acceptance (accountability and understanding) of procedures and processes continue to weaken the best technologies and strategies.
Bad guys will always try to take advantage of negligent insiders and growing awareness gaps between people, processes and technology. Proof of this comes in the Ponemon survey which reported that most breaches were not due to hackers, but negligence of insiders. Breaches by third-party organizations such as outsourcers, contractors and consultants were reported by 44 percent of respondents, more than double the percentage in 2005.
So with all the breaches statistics and lessons learned, doesn’t it make sense to reduce the ‘people, process and technology gaps’ with better knowledge at the individual-level?