Encryption: With data salad against cyber spies.
by Steve Böhmer
Encryption is one of the oldest forms of protection against attacks and spying. But in today’s internet age, this technology is not as widely used as it could be by companies. As a matter of fact, only 28 per cent of small and mid-sized companies encrypt their e-mail communications.
Written by
If James Bond has taught us anything—aside from how to live large and invariably come out on top—then it’s that even British super-agents aren’t immune to data theft. And that, time and again, encryption is the only effective technology to keep foes at bay. The Bond series has also shown us how the technology has changed over time, from the briefcase-sized encryption machine in From Russia with Love to the polymorphically encrypted hard drive small enough to fit into a waistcoat pocket in Skyfall.
The race to securely encrypt information against clever hackers seeking to break the code has been ongoing since ancient Egypt and is a part of everyday life in today’s business world. However, in contrast to the early stages of cryptography, personal data can be drawn from any imaginable source nowadays. Credit cards, for example, reveal not only a person’s name, but also their address, purchasing patterns, employer, income and much more. Despite this, users—and especially companies—all too often neglect to scramble their data to protect information from attackers.
Systems outside a company are especially vulnerable to criminals as they are easy to steal, compromise or simply misplace. Solid encryption combined with features such as secure data deletion minimises risk.
Maintain your data sovereignty with encryption.
As a result of big data, the number of “crown jewels” enticing criminals to action is growing daily, regardless of a company’s size. At the same time, reports of data breaches and security leaks seem never-ending, driving IT managers and data protection officers to their wits’ end, especially as they strive to meet the requirements of the EU General Data Protection Regulation (GDPR). Their repeated pleas for greater safeguards to improve access and disclosure controls are often ignored by decision-makers.
The problem is that traditional antivirus software and standalone solutions are no longer up to the task of protecting data and networks against modern, sophisticated cyber attacks. It’s only a matter of time until criminals find a way to undermine current defence mechanisms. If they’re able to circumvent all other obstacles such as firewalls and intrusion prevention, solid encryption becomes your last impregnable bulwark. Even if hackers are able to successfully infect your system with malware, encryption technology ensures that their bounty is nothing but an incomprehensible data jumble. Encrypted information is difficult to monetise, making it worthless to attackers. In addition, under the GDPR, the obligation to report a security breach within 72 hours does not apply if the data controller has encrypted the data.
Studies have shown that, on average, successful cyber attacks go undetected for six months. This gives criminals ample time to get a good look at every corner of a company’s network, helping themselves to mountains of data which they can then sell for a lot of money.
Bridging the gap between humans and technology.
There are a number of reasons why encryption has made only modest inroads. For some, it requires too much time and expense. Others experience issues using it, while others still question its practical benefits and suitability for everyday use. In most cases, the prevailing problem is that convenience trumps security. This attitude must change—and fast—as we live in an age of smart systems and GDPR requirements. Think about it: a single click is all it takes to send private, personal customer and employee information, not to mention confidential factory and production data, around the globe. Such quick access opens up new resources by delivering information exactly where it is needed.
But it also increases the risk of malware infections, data loss and unauthorised network access. In addition, our ability to work more productively on the go has created a wealth of sensitive data that must stay out of the wrong hands. Current research by the German Federal Ministry for Economic Affairs and Energy shows that SMEs lag far behind large corporations when it comes to encryption, with less than one-third of them using it. This is despite the fact that the open architecture of e-mail, for instance, is virtually begging for security precautions to guarantee confidentiality.
Encryption checklist for companies.
There are numerous ways to comprehensively protect data and information, which can be implemented using various organisational and technical steps. Two things are important when integrating a consistent IT security strategy. First, the different technologies must be able to interact with each other. Secondly, you must be able to make them user-friendly for employees, helping your staff make safe choices by enabling security by default. This applies also to data protection, which should be planned for in default settings and adapted to different company situations. This is the only way to ensure that all employees contribute to protecting data and information.
According to Article 32 of the GDPR, encryption “ensures a level of security appropriate to the risk”. Encryption protects the confidentiality of data, whether for field staff, partners or suppliers. In Paragraph 3a of Article 34, if data has been properly encrypted, data breaches do not have to be communicated to the data subject or supervisory authority within 72 hours, as is usually required..
Instead of busting out the big guns to mitigate damage when a breach has already occurred, IT managers would do better to strategically prepare their systems for such attacks in advance. Many vulnerable spots can be reinforced before criminals even strike. ESET gives the following tips for making sure your company makes effective use of encryption:
- Design security to be easy to use, not cryptic: Encryption adds an extra layer of protection—but only if it’s used. And employees will only use encryption if it doesn’t impede their daily work or make IT security any more complicated.
- Treat encryption as a part of your IT security strategy: Your encryption strategy should fit seamlessly with your overall IT security strategy, without unnecessarily inflating or complicating compliance requirements. If endpoint security, two-factor authentication and encryption all work together, the result is a consistent security strategy that is able to prevent malware attacks and spying, thereby keeping confidential business data safe.
- Tap into outside expertise: It’s recommended to consult with outside professionals when introducing or implementing encryption strategies. For one, this lessens the workload of your in-house IT department, which may already be overextended. Professional assistance also ensures a user-friendly encryption strategy that complies with data protection regulations.
- Choose a security-by-design approach to encryption: IT managers and data protection officers should look for encryption solutions whose very design takes a variety of security aspects into consideration, such as human error and laziness.
- Include employees at all levels: Encryption will only work if your employees are on board and properly trained. That’s why it’s important to include them early on in your internal processes and infrastructures, specifically raising awareness and training them on encryption and its benefits. No matter how good your technology is, it won’t be effective if your staff is overwhelmed by the solution, or if the various mechanisms don’t mesh perfectly.
