Unencrypted data is a big deal. There have been thousands of data breaches in the last two decades, some more significant than others. Data breaches affect large corporations, but most breaches affect small businesses. Thinking you’re immune because you don’t have a large company is a false sense of security; a mistake that costs the average business $38,000 to recover from.
Encryption has a fantastic reputation, as it should. It’s the best way to protect sensitive data from prying eyes and hackers that get a hold of it. However, encryption isn’t automatic, and encryption methods aren’t equally secure. Depending on your needs, what’s sold as “encryption” may be incomplete, even if it’s popular.
For example, Gmail, used by more than a billion people around the world, has a built-in feature to encrypt outgoing emails sometimes. Gmail admits encryption is not guaranteed, but plenty of people see the word “encryption” and assume it’s completely secure.
Multiple factors determine whether Gmail encrypts your emails. First, you must have S/MIME enabled on your Gmail account to encrypt emails in transit. Second, encryption must be supported by your message recipient(s). Gmail will only encrypt an outgoing message if it can access the recipient’s public key. The only way to guarantee all emails get encrypted is to use a third-party application.
Even the most sophisticated encryption software will fail where users fail to follow security policies. That’s one reason you can’t rely on out-of-the-box solutions for complete protection. Another reason is clever marketing.
Say you’re browsing the software section in a computer store looking for data security solutions. On the front of nearly every box, you see the word, “encrypted,” or “encryption.” As you read the description of each piece of software, it becomes clear that you have no idea how the software works. All you know is each product promises to encrypt your data. That’s what you want, so you’re tempted to buy something on the spot.
Marketers know exactly how to tell you their product does what you want, without revealing any details. When it comes to encryption, those details matter. What kind of encryption are you buying? How difficult will it be to implement and get others to adopt? Will data be encrypted as it travels across multiple servers? Will the data be encrypted at its destination? Getting this information from the product’s box is hard.
Data can be encrypted in various ways. For example full-disk encryption, but these solutions only work when the disk is spun down and the machine is turned off. Another option is Transparent Data Encryption to encrypt database files on a server. Unfortunately, TDE contains security flaws as well. Without application-level encryption, data is visible with a username and password.
In addition to the level of encryption available, there are two primary factors to consider when evaluating encryption software: seamless key management and ease of use.
Ease of use is especially important when you’re running a business because employees and contractors might not use the software if it’s a hassle. In this context, having complicated encryption software can be like having no data protection at all.
Encryption key management has been a challenge over the years. The more platforms used, the harder it is to manage. An effective encryption solution will be able to handle multiple platforms like removable USB media sticks, mobile devices, hybrid clouds, and any other type of data storage. An effective encryption solution will also ensure keys are secure and change regularly.
You’ll need to do some independent research to find out what each encryption solution offers, and where it falls short. If you’re bound by federal regulations, you can’t risk data being transmitted unencrypted at any point in the process. End-to-end encryption would be your only choice.
If you’re not bound by federal regulations, and the data you’re transmitting isn’t sensitive, you may not see a need to use end-to-end encryption. Although, it’s a wise move to use it anyway because some hackers aren’t interested in personal or financial data.
Sometimes hackers want money for themselves, or to steal identities, but not always. Often, their game is to cause problems for their target – financially or otherwise. For example, the 2011 Stratfor hack made hefty donations to charity with pilfered credit cards. Sony Pictures was hacked in 2014, but the hackers weren’t after money. The goal was to expose the inner workings of a secretive industry. Wikileaks published everything.
As data breaches continue to rise, your data could be next. However, even if you get hacked you can rest assured that your data is safe if it’s encrypted and only you control the keys.