Cyber incidents are on the rise in South Africa. And so are the costs associated with serious data breaches.

That’s forcing many of the region’s organisations to revisit their cybersecurity strategy.

Yet a market estimated to be worth over US$2-billion at the start of the pandemic can be challenging to navigate. With so many competing solutions and approaches on offer, it’s increasingly difficult for IT leaders to filter out the marketing noise and understand what the best fit for their organisation might be. Given the financial and reputational risks involved, the stakes couldn’t be higher.

This is where data-centric security has clear advantages. At its heart is a simple idea: protecting sensitive data at its earliest point of entry into the corporate environment, to keep it safe from thieves, extortionists and insider negligence. But how should it be protected? Encryption may be better known, but tokenisation is an increasingly popular alternative that may be a good match for many use cases.

Security going backwards

Globally, cybercriminals are in the ascendancy. They’re supported by an underground economy worth trillions of dollars annually. Using the cover of anonymising tools, they can visit hidden dark web marketplaces to buy tools, knowledge and pre-built services to launch attacks. They can then use these same sites to sell stolen data on to fraudsters. It’s a complex supply chain built on technology innovation and the single-minded pursuit of money.

That spells bad news for network defenders who are often underfunded and short-staffed. According to one report, over two-fifths of 10 South African companies believe their IT security budgets are not sufficient to meet the growing volume and sophistication of cyberthreats. They say it’s at around half of what it needs to be, leaving a shortfall in training and few opportunities to leverage technology innovation. As a result, the number of South African organisations that believe they have an adequate cyber-resilience strategy has dropped from 41% to 33% over the past year.

The cost of poor security

Achieving enhanced resilience is no longer a competitive differentiator. It’s an essential foundation for business survival. As local organisations build out their digital capabilities to drive cost efficiencies and business agility, they’re also creating broader attack surfaces with more potential entry points for criminals to target. Yet the price of failing to secure these complex distributed environments may not only be a serious security breach.

The regulatory landscape has moved on significantly in recent years, piling more pressure on South African IT bosses. There’s the 2021 Protection of Personal Information Act (Popia), which could levy fines of up to R10-million on organisations that fail to adequately protect customer and employee information. Then there’s the Cybercrimes Act, which mandates breach reporting for some companies. Even the IMF has called for improved cyber-risk management across the country’s financial sector. Yet the breaches keep coming. Between January and April 2022, ransomware compromises reportedly doubled on the same period last year.

Encryption or tokenisation?

Data-centric security acknowledges that perimeter protection is often not enough today to keep out the bad guys. When they can deceive intrusion prevention tools or hijack misconfigured endpoints with stolen or guessed credentials, attackers will always find a way into corporate systems. The key is therefore to protect the company’s data crown jewels themselves, so that even if they are accessed by an attacker, they would be rendered unusable.

Classic encryption has long been the mainstay of corporate data security policies. It works by applying an algorithm to plain text data, which generates a meaningless “cipher text” from it. Only authorised parties are able to access the underlying data, so hackers would be left with nothing usable. There are two types of encryption – symmetric and asymmetric – both of which work slightly differently. However, what they have in common is that the format of the cipher text has completely different properties from the underlying data. That means it’s a different length and is usually written in a different alphabet.

This can be problematic in the context of databases, messaging and most other applications which are built with pre-defined values for maximum length and data format. It means encrypted data must often be de-protected before it can be used, which could present security risks. That’s why it’s more commonly used to scramble data in transit and for device encryption.

Tokenisation is arguably more cost effective and configurable than classic encryption, giving it the edge in many environments. It works by replacing the plain text data with a “token” which can be tweaked to preserve the length and even the same alphabet as the underlying data. This “format-preserving” capability means it can be used with existing applications and message structures without any need for costly changes.

Tokens also demand fewer computing resources to process, further lowering costs, streamlining data protection and ensuring system performance is optimised. This is partly because specific chunks of data – such as the first six digits of credit card primary account numbers – can be kept visible for important business functions such as analytics. That reduces the strain on system resources and makes tokenisation a popular choice for a wide variety of use cases. These include protecting sensitive data such as payment information, healthcare records and personal identifiable information.

With the average cost of a data breach surging 50% year on year to reach $3.2-million in South Africa, the focus for local organisations must be on finding the most effective, cost-efficient way to protect their critical data. For many today, that increasingly means tokenisation.

Comforte AG has evolved into a market leader for data security and cloud-native tokenisation. Combining our experience in securing data in motion and rest, we took our portfolio one step further and created a “Data Security Platform” that seamlessly integrates into the most modern cloud-native environments as well as traditional core systems. Now, more than 500 enterprises, including many Fortune 500 organisations, rely on comforte AG’s solutions to secure their data. With offices in Germany, the US, Singapore and Australia, comforte AG has a global reach.