Encryption: Evading constant data breaches
Organisations are facing unprecedent cyber threats and one of the most devastating cyber threat in present day is data breaches. Data breaches can be damaging to the organisations both financially, legally, and can also lead to other forms of losses that are non-financial such as reputational damage. Organisations must take steps to mitigate data breaches and one most effective way of protecting your data and digital assets is Encryption.
So, what is encryption?
Data encryption is the process of converting plain-text information into an indecipherable form, which can only be accessed by a user with the correct decryption key. This process converts the original representation of the information known as plaintext into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Data encryption provides protection against unauthorized access to your files hence maintaining Confidentiality, Integrity, Availability (CIA) of your data.
When to use it and approaches
The first step in choosing the right encryption strategy is to understand the differences between three different states of data – in transit, at rest and in use – and the security challenges posed by each. Data in transit is data that is moving from one location to another. This includes information traveling via email, collaboration platforms like Microsoft Teams, instant messengers like WhatsApp - making it a prime target for attacks given its exposure across the internet or private corporate networks. Data at rest refers to inactive data, meaning it’s not moving between devices or networks, archived in a database or any data stored on a hard drive, computer, or personal device. Data is in use when it’s accessed or consumed by an employee or corporate application. Whether it’s being read, processed, or modified, data is at its most vulnerable in this state. Encryption is essential to protecting data in use, and many businesses will shore up their encryption solutions with additional security measures like authentication and permissions for data access.
Data encryption can be applied following any of the following approaches.
• ►Full Disk Encryption (encrypting all data on the storage media)
• Container or Volume Encryption (designating a specific virtual container/disk volume to encrypt)
• File or Folder Encryption (encrypting specific files or folders as needed)
• Application Encryption (using an application that can encrypt the data)
Encryption drivers
Hybrid working - data is spread across different locations, untrusted networks, personal and mobile devices usage, networks are fragmented and more exposed, theft of devices- requires securing data being shared using these unsecured networks or copied to personal devices hence the call for encryption.
Cloud computing – there has been exponential adoption of hybrid computing, organisations migrating their data to clouds and that information must be protected if the provider is compromised.
Mobile computing- mobile devices have become powerful and have large storage capacity leading to the adoption of their usage in the workplace which means corporate information is transferred to personal or corporate owned devices. That information must be protected in case the device is lost or stolen. In addition, data leaks can also be prevented by encrypting the data on these mobile devices. Digital transformation - The race to embrace digital transformation is on and a lot of organizations are doing everything possible to ensure they digitize every piece of information. This inadvertently increases the risk of cyber-attacks and data breaches. For optimal data protection, encryption is a must; any data you encrypt has become useless to cyber attackers that manage to hack your system unless they have the corresponding decryption keys.
Regulations and compliance - Governments are tightening the cyber space introducing more tighter regulations. For example, the recent Data Protection Act reinforces accountability on data controllers and data processors, and it requires organisations to prevent client information disclosure and to be compliant entities must encrypt data and information.
Data Encryption Best Practices
Some of the Data encryption best practices to reduce the risk of breaches include:
1. Create a Strategy for Securing Data - Depending on the size of your business, your security strategy may differ. For example, enterprises with many users should be using cloud servers to store their encrypted data, while small businesses can use their workstations as storage media. Understandtherules and regulations:
PII (personally identifiable information) needs special encryption to meet local and applicable regulations. Check what other governing policies apply to your business and how they impact your security strategies.
Encryption tools: Determine which encryption tools are best suited for your business (according to data volume and business needs).
Encryption algorithm: Check if the technologies or algorithm used by your encryption vendor meets international standards.
Key management: Decide on ways to generate, store, and replace keys. Also, create strategies to destroy the encryption keys in case of a security breach.
Auditing data: Determine how you will track irregularities or identify unauthorized access to your encryption keys.
2. Protect Data in transit - Data stored in your system or dedicated servers is much easier to protect than the files in transit. Make use of Virtual Private Networks (VPNs) as they help in protecting your data in transit.
• VPNs create an encrypted connection between your device and the internet, hiding all your online activities. Make use of them where applicable especially in accessing corporate resources remotely. Since it changes your IP address, even the prying eyes won’t be able to see if you have files in transit.
• Implement security protocols to safeguard your devices and data against attacks on public Wi-Fi and educate your employees the risks associated with public Wi-Fi.
• Invest in controls that secures access from workstations to your storage device (cloud network, servers, etc.)
3. Determine what data to protect - it is essential to consider the worst-case scenarios. What is the potential loss or damage that would be caused if a specific set of data is compromised? If your answer is too much, then you should be encrypting those data. Sensitive information PII, PHI are examples of data that need to be encrypted no matter how robust your security system is.
4. Control Access to Data - Grant access to encryption keys to users depending on the type of data they need. For example, your financial information should only be accessed by people working in your finance department. In addition, control what a user can access in the files. For example, your marketing team can obtain your customer’s email address from the PII file but shouldn’t be able to check their password or credit card details. This can be done by encrypting all the columns in a file separately or changing your vault access policies (from the vendor’s side).
5. Prepare a Backup Strategy - Ensure that you can recover files, or the keys used to encrypt the data in the event of loss or theft. You can use software like Cobian Soft for this task. Keep all your decryption keys in a safe place and have a backup of these files. Make sure to store your decryption codes in a different location than your backup keys. You can also use a centralized key management system to mitigate the risk of isolation.
Final thoughts
In conclusion, please note that data encryption is a continuous process. Make sure to follow the five best data encryption practices to safeguard sensitive files and prevent leaks. Be sure to monitor the effectiveness of your data encryption strategy to enhance it over time. Ensure your encryption vendor allows you to scale your network in the least disruptive way. Your encryption strategy must support data migration, especially if you have plans to shift to the cloud. It should support thirdparty technology integration to allow you to manage new business opportunities without compromising on the security. Your data encryption must have multiple layers of security to safeguard your data in the case of a data breach and should not affect the functionality, accessibility, or performance of your data.
To find out more contact Tonderai Makumborenga, Cybersecurity Consultant on:
Email: tonderai.makumborenga@zw.ey.com or eymarketing@ zw.ey.com
Address: Angwa City Building, Corner Julius Nyerere Way/ Kwame Nkrumah Avenue. P O Box 62, Harare, Zimbabwe.
Tel: +263 4 750905/ 750979
This article was compiled by EY as a source of general information and notification and should not be construed as a formal professional/legal opinion. Although reasonable skill and care is taken when providing information, EY offer no warranties or representations as to the information’s accuracy. The information provided is not intended to replace the need for an expert/ legal opinion on interpretation, application and consequences of the relevant legal, technical or regulatory provisions. E Y does not accept responsibility for any loss or damage you or any third party may suffer as a result of utilising the information provided.