How companies can better protect their data against cyber attacks

Data theft, espionage or sabotage: the German Competence Center against Cybercrime (G4C) estimates that nine out of ten companies are victims of a cyber attack. At the end of March, CH Media, to which this portal belongs, was also hit by a cyber attack.

The attacks often go unnoticed for a long time. Criminals can sometimes transfer data for months without noticing. The numbers make it clear: almost every company will be attacked by cybercriminals sooner or later – and should protect itself accordingly.

sender of this alarming message Comforte, a German company specialized in data security. According to its own statements, Comforte secures 60 percent of global card payment transactions, such as those of Visa and Mastercard.

Why it’s not enough to protect the doors

Noisy Comforte CEO Michael Deissner there needs to be a paradigm shift in data protection. Until now, most companies would focus on infrastructure and network security. They take measures to prevent criminals from entering the system. The access doors to the system are closed as well as possible. According to Deissner, that’s not enough.

More and more companies, but also private users, store their data in cloud solutions. This means they lose some control over their data as it is stored on the cloud provider’s servers. The cloud offers a degree of protection. But once the walls are breached, the data can often be seen – a nightmare scenario for any business.

According to Deissner, companies should therefore pay attention to so-called “data-centric security”, ie the protection of the data itself, which must specifically be encrypted by default. Data must remain protected for its entire life – from collection to storage, processing and transmission to deletion.

The target:

One way to do this is with classical encryption. The data is converted into an unreadable format using an algorithm and a key.

A second possibility is the so-called tokenization. According to Comforte boss Deissner, tokenization has been around since 2018, but the method is still little known. Plain text data is replaced by so-called tokens.

Unlike classical encryption, the token retains the format of the original data. With a credit card number, for example, only the digits are exchanged – again a series of 16 digits is created. Or the “@” sign remains in the correct place for an email address.

Encryption and tokenization have different advantages and disadvantages. In encryption, there is a mathematical relationship between the original value and the encrypted value.

This makes the encryption reversible, which poses a risk: if a hacker breaks the algorithm, he can decipher all encrypted values.

In addition, the data is made completely unrecognizable and must be decrypted again for each processing.

Conclusion: Absolute security does not exist

With tokenization, on the other hand, the data can be used in business processes and analytics even in a secure state, since the format is not changed. In addition, there is less risk of the code being cracked because there is no mathematical connection between the original value and its secure counterpart.

However, this also means that since there is no connection, it is much more difficult to undo a tokenization. So if there is data theft, one cannot just convert the tokens to the original data and insert a new token.

In addition, the number of possible combinations is limited: the more tokens in circulation, for example for credit card numbers, the greater the risk that the same token will be used several times. Tokenization also cannot provide absolute security.

Whether it’s encryption or tokenization, companies will hardly be able to avoid data-centric security. The risks and damage of cyber attacks are simply too great.