Data protection may be the key to cybersecurity

Technology has made it possible for consumers to purchase goods and services with just a click or swipe of a finger on a signature pad. But these advances have also bred a new and more dangerous type of criminal who has all the tools he or she needs to steal personally identifiable information, costing consumers tens of billions of dollars each year, not to mention a host of hassles and a lasting impact on their credit.

Cybersecurity is one of the most important issues of our time. The threat of data breach presents a serious national security risk that has already impacted financial, healthcare and government systems across the nation. These threats are particularly disconcerting when combined with growing vulnerabilities in our energy grid and other critical infrastructure.  To combat this, businesses and  both federal and state governments should adopt leading-edge measures to protect sensitive information and intellectual property. 

ADVERTISEMENT

From both a policy and practical perspective, it is important to work effectively to protect data and critical systems.  Current policies and practices focus primarily on preventing intrusions and minimizing harm when they occur.  These are important steps, but experience shows that they do not go far enough. Looking ahead, it is imperative that cyber security efforts also include the protection of data through the use of new and more robust encryption and technology enforced protocols that ensure data is stored and handled appropriately. 

Although companies may store their data behind a firewall, the data itself is often improperly protected. For the uninitiated, firewalls sound sufficient. In many cases, however, the cryptographic keys —the mechanism that locks and unlocks encrypted vaults -- sit on the same servers that house the data. This is like leaving the house in the morning with your key in the lock instead of under the mat.  Of course, the key should not be in either place. It would be far safer to encrypt information at both the device level and on the  cloud. Bad actors would be left to gather random and worthless bits of data that do not pose a serious threat. Without the means to decipher the bits of data, they will move on. 

It may sound simplistic, but encrypting the data first is a game-changing idea and represents a split from malware protection software companies, which attempt to keep up with known malware virus signatures that match and then patch them. This is inefficient. It is time to halt bad actors at all stages and protect data wherever it resides.

The National Institute of Standards and Technology’s (NIST) creation of the Critical Infrastructure Framework is a start, but more must be done to protect vulnerable American businesses and infrastructure. Policies and practices intended to enhance the security of our private and government networks must emphasize protection of data through robust encryption, beginning at the device level, along with the use of technology to enforce protocols related to what approved or unapproved people can or cannot do with the data. While law enforcement continues to evolve, responsible CEOs, board members, investors and business owners should consider encrypting data at the device level, in transit, and in the cloud before it is too late. Salvaging their customers, brand and revenue – as well as our national security -- depends on it. 

Sessions represents Texas’ 32nd Congressional District and has served in the House since 1997. He is chairman of the Rules Committee. Scherr is chief executive officer at Encryptics, a Texas-based company that develops and delivers enterprise-wide data protection solutions.