I am looking forward to the day when we can look at the news headlines and not see some report about a lost or stolen computing device or storage device that contained unencrypted personal information and/or other sensitive information.
And, I also want to stop seeing stories reappear about such an incident, such as the stolen NASA laptop with the clear text Space Station control codes that was stolen last year, but is making the headlines yet again today.
NASA is a large enough, and tech savvy enough, organization to know better! However, there are many organizations that simply don’t understand what a valuable information security tool encryption is.
I work with many small to medium sized businesses (SMBs), all of which have legal obligations (such as through HIPAA and HITECH, along with contractual requirements) to protect sensitive information, such as personal information. Over the past year I’ve heard way too many of them make remarks such as…
- “I’m using encryption; I have an email add-on that automatically encrypts all my messages. So, don’t have to worry about security.”
- “Our site uses SSL so everything sensitive is encrypted.”
- “Our IT department created an encryption process to scramble all the data in our server.”
- “I don’t have to use encryption; I’m not in a regulated industry.”
Here are the common long-held myths related to these misconceptions, and what organizations need to know about these flawed beliefs.
1. Myth: Using SSL or HTTPS encrypts data everywhere.
You Must Know: It is good that organizations are using HTTPS and SSL! However, in general HTTPS and SSL only encrypts data in the pathway between web servers and web browsers. That data will not still be encrypted in storage areas, or in emails, or other locations. There are different types of encryption for different types of data uses and storage areas.
2. Myth: Encryption is too expensive for SMBs.
You Must Know: Encryption is now a fraction of the cost that it used to be. There are also some very good freeware encryption tools available. There is no reason that SMBs, or any other types of organization, or individuals, should not be using encryption; cost is no longer a good excuse. Encryption is simply too effective of a security tool not to use!
3. Myth: Encryption is too hard to use.
You Must Know: Is creating encryption solutions difficult? Well sure, but because of all the options available from a wide range of vendors you do not have to create your own encryption solution. Is it hard to use those solutions? Several years ago using encryption was comparatively difficult. However, now most encryption solutions are good and easy to use. Any type of SMB can use encryption of every kind that they need to use to mitigate risk and meet compliance requirements.
4. Myth: By using encryption we then don’t need to use firewalls, anti-virus, or other security tools.
You Must Know: Au contraire, mon frère! Encryption is indeed a great tool that can protect data. However, there are many other threats to networks, systems, and applications that you also need to have other security implemented to protect against. Firewalls and anti-malware systems and software, just to name a few, are also necessities in today’s high-risk digital environment. This is commonly referenced as the need to have “security in depth” and “security in layers.” You should implement all the layers of security necessary, which also should include physical security controls (e.g., locked doors) and administrative security controls (e.g., policies), to reduce your risks to acceptable levels. You should identify all the necessary administrative, physical and technical (which includes encryption) controls within your business risk management plan.
5. Myth: Encryption must be deployed everywhere in an organization.
You Must Know: Appropriate types of encryption solutions should be deployed where ever necessary to mitigate risk to sensitive information. And the types of encryption will vary based how the data is stored, transmitted and used. Some areas of your organization, such as in the internal intranet where certain types of data is made available to all employees and protected by an external firewall, typically does not need to be encrypted. Other areas should always encrypt sensitive data. Here are some important areas where the appropriate types of encryption solutions should be used:
- Websites: Typically using HTTPS and/or SSL
- Emails: Often using vendor or freeware add-on solutions. However, many email systems now come with encryption capabilities that you can use.
- Mobile computers: Data in storage using one of many different vendor solutions.
- Mobile storage devices: There are encryption solutions for disks, USBs, CDs, DVDs and tape.
- Wireless transmissions: Using a wide variety of wireless encryption options.
I could write much more about each of these myths, but this should get you pointed in the right direction. If there is enough interest I will write some follow-up posts about each of these.
So, the lessons are that 1) every organization and individual should use encryption to protect data, and 2) sensitive data should always be encrypted on mobile computers and storage devices and in transit through public networks. If all organizations would start doing this you would see the numbers of breaches reduced dramatically.
Also, most organizations have some type of contractual or regulatory requirements for encryption, particularly for personal information. A good topic for another day.
Cross-posted from Privacy Professor