Knowing data is secure through encryption is critically important for many businesses, whether this is to protect customer details, payments or other sensitive information. Indeed, analyst Gartner recently said enterprise-wide encryption should be viewed as a priority to mitigate security threats and compliance requirements, pointing to the dramatic rise in data breaches.
For risk managers, this makes sense and is likely to be a vital part of their vision to reduce risk and shore up security across the business, even if it may involve investment and a thorough review. Some of the key areas to examine when it comes to widening the encryption net include:
- What data needs protecting and why – for example, data on customers, HR, financial etc.,
- Where is the data stored in terms of location and is it in different legacy systems?
- Does there need to be better integration with a new encryption strategy?
- How is data transferred, i.e., email or also via services such as Dropbox?
- Are USBs used?
- Who needs to have access and what are rules around mobile devices?
- Is a new and improved key management strategy needed?
- Will more use by made of the cloud?
- Does there need to be additional employee training on a new strategy?
Buy-in from the board
But this is only part of the challenge. Risk managers may also face barriers from their boards on a number of fronts. Firstly, there may be a general sense of complacency that the business won’t be hacked, subject to an employee error or IT breakdown that results in a data breach.
They may also believe that encryption will slow down their processes, even though with proper management this should not be the case. Robust encryption combined with multi-factor authentication has proved to be an effective way of repelling cyber criminals and improving a company’s resilience.
But, some with more limited knowledge may also have picked up on the current debates about cyber crime and whether encryption should in fact be weakened in a measure to help catch criminals, and so be feeling sceptical about whether further investment is even worth it.
The criminal challenge
The fact that criminals and terrorists – along with the law abiding - can also encrypt their data, meaning the authorities struggle to interpret it – is a complex dilemma which continues to dominate the news and to which there is no easy answer.
In the US, there are calls for ‘responsible encryption’ which means that only those with judicial authorisation could access encrypted data, an idea that may sound sensible in theory but in reality is blighted by the fact that if the government holds the key to unlock it, there is always the chance a criminal can discover it too.
Meanwhile in the UK, the government is calling on communications companies such as Google and Facebook to allow the intelligence services to more easily bypass encryption to assist with counter-terrorism work. However, the same problem exists – a ‘master key’ would become a target for hackers and would also make everyone else’s data far less safe.
Europe has taken a different approach in that it will issue fines if illegal content is not removed from sites such as Google, Twitter and Facebook within a specified time, but has not issued similar anti-encryption demands. The EU has said Europol will be better funded to track cyber criminals.
In the meantime, there are plenty of IT security experts and indeed, some within governments, who feel strongly that whatever challenges encryption poses, any weakening could be extremely dangerous for businesses and the wider economy.
And as a business strategy, it is gaining ground strongly. Research by Thales and the Ponemon Institute, released in April, show some 41% of firms globally were now using enterprise wide encryption, up from just 15% in 2005. Encryption needs the right implementation and infrastructure, but if properly supported across the business, it should prove an invaluable shield in an uncertain world.