By Morey Haber, Chief Security Advisor, BeyondTrust
Let’s consider the Middle East cyberthreat landscape, and let’s begin with some numbers. A US$7.5 billion cybersecurity industry (2022 figures) is expected to grow at a compound annual growth rate of almost 20% in the seven years to 2029. The average cost of a breach in the region, as reported by IBM Security, famously topped US$8 million in 2023, while 29% of regional respondents in a recent PwC poll estimated their losses from incidents at more than US$1 million. Also last year, the wider Middle East and Africa (MEA) region endured a 68% surge in the number of ransomware attacks.
Whether you consider yourself at war or under siege, you need both a sword and a shield to feel adequately protected. And when it comes to protection against data theft and cyber extortion, encryption has emerged as necessary armor in the forms of a sword and shield. Organizations must hide information from unauthorized eyes and strike back against attackers to drive them from the digital estate. Counterintuitive as it may appear, given the numbers, encryption is a must-have in some scenarios and an unnecessary complication in others. The questions before decision-makers are when, where, how, and why encryption should be implemented. As the region’s digital frontier is pushed ever forward, several reasons emerge as to why data encryption is either necessary or ill-advised. These reasons form pro and con business cases that can guide CISOs and boardrooms across the region in coming up with the ideal encryption strategy.
The case for
1. We safeguard privacy
To customers, confidentiality is non-negotiable. Cryptographic methods transform the readable into the unreadable. To make use of any part of this sensitive data, threat actors need a key that they cannot easily obtain. Healthcare, government, or BFSI leaders can sleep more soundly in the knowledge that even if intellectual property or payment information is compromised, the assailants will be unable to use the information if the encryption is properly deployed.
2. We maintain compliance
In highly regulated industries, cybersecurity best practices like encryption are mandated. This can apply to local laws like the United Arab Emirates’ Personal Data Protection Law, or global standards such as the European Union’s General Data Protection Regulation (GDPR), or industry-level frameworks like the Payment Card Industry Data Security Standard (PCI DSS). To be considered compliant is to store, process, and transmit data as described in the regulations. To be non-compliant is to tarnish the organization’s brand to the point where regulators, customers, and partners consider it untrustworthy and potentially unable to longer conduct business.
3. We protect intellectual property
When we talk about data being the new gold, we do not just mean monetizable Personally Identifiable Information (PII) and transaction data. The disclosure of Intellectual Property (IP) is an existential threat to corporations — be it algorithms, blueprints, financials, or client lists. Encryption’s ability to prevent unauthorized access is a welcome one. However, when it comes to ransomware, which would further encrypt the already-encrypted data, encryption alone will not solve the problem and in some scenarios could make the situation worse.
The case against
1. We may compromise performance
The computational power necessary to encrypt and decrypt data can cause latency bottlenecks, especially where real-time volume processing is involved. Stock (financial or trading) markets are a simple example of these environments. This can become a problem in places like high-frequency trading (HFT) environments, where milliseconds can mean the difference between profit and loss. Encryption’s close relationship with latency could therefore undermine the very purpose of the use case. Where the need for speed outweighs the security benefits of encryption, it can be more prudent to rely on other security controls to prevent unwarranted access.
2. We may incur administrative overhead
Regional IT teams have a lot on their plates. If we include encryption, we must factor in the management of encrypted/decryption keys, including their rotation. IT typically will take responsibility for this and for maintaining access controls including the storage of keys for disk-level encryption. Such an escalation in admin requirements not only increases costs but introduces new potential points of failure. CrowdStrike lingers in the mind as a cautionary tale. During the crisis, organizations that encrypted their hard drives with BitLocker, but did not store the encryption keys separately, had to go through extra manual steps on the road to recovery. This is a very real business risk when operating at certain scales. The CrowdStrike episode alone should give enterprises cause for pause and reason to revisit even basic OS functionality. Risk should always be measured by considering the additional IT admin hours that may have to be devoted to asset management. While disk encryption is almost always recommended, organizations must also devote time and appropriate resources to storing and processing decryption keys in a third party system to minimize the downtime for events like the CrowdStrike Global IT Outage.
3. Small businesses may struggle
Middle East economies thrive on smaller businesses, which are vulnerable to cyberattacks but may be just as vulnerable to encryption overheads. As we have seen, small businesses with limited IT resources might not be capable of implementing and managing an encryption system. The risk of errors might outweigh the security benefits, especially if the data being protected is not particularly sensitive. In such cases, simpler security measures like strong passwords, multifactor authentication (MFA), and regular backups, and SaaS solutions that provide security and encryption may suffice.
4. We may hinder accessibility
Encryption could place unnecessary obstacles in the way of data sharing and collaboration. Some business models rely on real-time or rapid sharing among multiple external parties regardless of trust or relationship. Decryption keys must be securely shared and managed, potentially complicating workflows. If the use cases were, say, monsoon rain storms or a product recall, it is not difficult to see the potential for encryption to cause potential harm when everyone needs the information.
Tools for jobs
As both our sword and shield, encryption is a powerful tool. But every fight defines the weapons we must use. We can protect sensitive data, remain compliant, and lock down IP. But we must ensure we are not introducing performance bottlenecks, administrative complexity, or barriers to collaboration. We must establish an encryption strategy that takes account of use cases and deploys encryption only where it can deliver a net gain and a means for data recovery. Business needs, risks, performance requirements, and a range of other priorities and legal obligations will vary from organization to organization. Allow for this and encryption can consistently offer a safe haven and never a crucible of chaos.