The Compliance Contradiction

Compliance regulations – particularly GPDR – have been a major driving force behind the uptake in cybersecurity solutions, but not all investments have helped enterprises bolster their cyber-defenses. Indeed, some investments have left enterprises exposed to new cyber-threats, which have become more sophisticated and harder to spot.  

The Cost of Compliance

New regulations are costing enterprises a lot more. Reuter’s latest ‘Cost of Compliance’ report found that 43% of organizations expect the size of their compliance team to grow, while two-thirds expect an increase in their compliance budget in order to protect their organization’s data.

While the report highlights the massive influence technology solutions have on compliance, it also identifies that there are some instances where this isn’t the case.

On the one hand, new solutions can directly help organizations achieve a state of compliance. For example, 41% of organizations are expected to assess fintech and regtech solutions in the next year.

On the other hand, new compliance-driven technologies can increase the risks associated with cyber-resilience, IT infrastructure and data privacy.

With 2018’s introduction of GPDR, it’s hardly surprising then that the use of encryption is steadily on the rise as organizations seek to adhere to this new set of stringent regulations that have been put in place to protect sensitive data. According to the Ponemon Institute, 45% of businesses already have an encryption strategy in place, a figure that is expected to rise.

Whilst the likes of GDPR might have made UK businesses more cyber-resilient, there is still much work to be done, especially since only 30% of businesses have made changes to their cybersecurity strategy since GDPR came into play. Furthermore, the current solutions available, namely encryption, come with many flaws.

Encryption is a Double-Edged Sword

The rising use of encryption as a compliance solution is actually a cause for concern. As well as protecting sensitive information, encrypted traffic also gives hackers a new point of entry, with encrypted malware becoming an attack vector of choice. Threat actors have learnt that they can exploit encrypted traffic by hiding their malicious code within the encrypted data. This is a growing concern, and PWC estimates that 60% of malware will be encrypted by the end of this year.

Traditional security solutions can’t see inside encrypted traffic flows; they must decrypt traffic in order to scan it for malware, but, by decrypting confidential data in this way, organizations could find themselves in breach of compliance regulations. In short, if businesses implement decryption in search of this hidden malware, there is a very real risk that all data – including sensitive information – could appear in plain text, putting organizations in blatant opposition to the rules on encryption.

Furthermore, the ongoing introduction of the recently ratified TLS 1.3 protocol may even prevent enterprises from looking in on their own traffic at all as the protocol will inhibit legitimate passive decryption.

AI is the Way Forward

Organizations need to look to solutions other than decryption if they are to both keep their data secure and comply. Technologies that use AI and behavioral analytics are one way to go, which allow businesses to simply scan the traffic metadata, not the actual contents, in search for hidden malware.

This technology can learn the difference between good and bad traffic, spotting and stopping encrypted malware, in real-time with a very high accuracy. Not only is this a more efficient process than decryption, but it also ensures that businesses are not breaking any laws whilst keeping their data secure.

When looking to the future of cybersecurity, especially in the face of regulations intended to protect sensitive data, it’s vital that organizations don’t become slack in their efforts, and constantly look to new solutions that can tackle new threats.

What’s Hot on Infosecurity Magazine?