Despite the undoubted importance of cybersecurity and sound data management across organisations, best practice remains elusive, argues Jon Fielding, EMEA Managing Director at Apricorn.
US president Joe Biden has made an executive order on improving that nation’s cybersecurity, stipulating the need to encrypt data both at rest and in transit. Meanwhile, three in every ten IT leaders this year in our 2021 Global IT Security Survey revealed that their organisation had suffered a data breach that could have potentially been mitigated by encryption.
18% of respondents told us that their company had experienced a breach through lost or misplaced devices; a common occurrence despite peace-of-mind being easily achievable via end-to-end encryption coupled with correct backup and storage strategies.
Another 12% admitted point-blank that the breach at their organisation was down to a lack of encryption. This both highlights and underlines the crucial role encryption has to play in protecting sensitive information.
A knee-jerk response might counter by pointing out that the USA is not the UK. However, our world is one of globalised communications, cyber threats and multinational companies. Like it or not; we’re all connected.
Therefore, while a third of UK organisations now require all corporate data to be encrypted as standard, according to Apricorn’s latest survey of IT leaders, the share simply isn’t high enough as yet to deliver any desirable ‘herd immunity’ against cyberattack.
Step into encryption’s ‘brave new world’
Another 39% admitted that they could not be certain their data is adequately secured for remote working. Thus, better control over data security, both corporate and individual, is very clearly required. Meanwhile, cyber threats and attacks continue to evolve to target an array of vulnerabilities.
Luckily, enterprise data encryption and cryptographic techniques also continue to develop and innovate, keeping just ahead of the hackers. In addition, Federal Information Processing Standards (FIPS) continue to advance.
It has often been assumed that implementing cybersecurity can mean strangling device and application performance – but technological advances have reduced the chances of this issue. Solid state drives (SSDs) available today, for instance, are smaller than a deck of cards yet deliver read/write speeds of 350/310MB/s – nearly twice as fast as their immediate predecessors.
A malicious actor typically cannot simply apply a brute-force attack to crack the passcode for access to a hardware-encrypted device because the cryptographic module will stop accepting sequential incorrect attempts and eventually wipe access to the data once a pre-determined threshold is reached, ensuring that data can no longer be accessed by anyone. The long prevalent alternative of software-based encryption is vulnerable to portability challenges, counter resets or potential copying of an encrypted file for a cracking attempt.
Hardware-encrypted devices are becoming the technology of choice for storing and backing up encrypted data, especially while maintaining accessibility for a distributed or mobile workforce.
Removable storage devices with built-in hardware encryption can be assigned to employees – and managers – ensuring all data can be stored or moved around safely offline. Even if the devices are lost or stolen and inserted into another host computer, the information stored therein remains unintelligible to those not authorised to access it.
Back it all up – with policy and education
Many business managers may not have considered the use of a FIPS-certified, software-free hardware-encrypted mobile storage device. Incorporating pinpad authentication and device whitelisting practices – locking down USB ports to all but corporately approved devices.
In our survey, 18% of IT leaders also reported that they don’t understand which of their data sets need to be encrypted; 15% indicated they have no control over where company data goes and where it is stored. Again, this underlines the crucial role of sound policy and solid education to assist workers and management alike to enhance their awareness and practices to counter real-world threats anywhere and any time, even as they emerge.
We would argue, therefore, that not only should hardware encryption be considered, but that encryption of all data at all times should be mandated in policy and enforced at operations level.
The UK Information Commissioner’s Office agrees – noting that Article 32 of the General Data Protection Regulation (GDPR) states that organisations implement encryption where appropriate. Organisations should have an encryption policy in place that governs how and when encryption is implemented and train staff in the use and importance of encryption. Staff and managers alike should be included and their input sought and implemented at all stages of this ongoing process for the best results.
Developing and adopting a policy that covers an entire organisation and mandates the deployment of the right solutions at the endpoint not only allows employees to use their own hardware safely but gives them autonomy, assisting operational agility and defending against the risk of cyberattack. Of course, all policies should be regularly revised and training updated to ensure continued relevance.
With the hybridised workplace infrastructures of today, good cybersecurity practice means considering vulnerabilities associated with staff, partners, and customers wherever the touchpoint, and regardless of whether the endpoints used are corporate laptops and desktops or BYOD.
- The future of work: driving employee engagement in a hybrid working landscape
- How Wi-Fi6 will optimise hybrid working
- Which European countries have the best and worst cybersecurity?
- McAfee: How to make telehealth safer for a more convenient life online
Encryption is becoming increasingly important as critical to sound data management, and its use must be ramped up to avoid a rise in breaches in the many organisations seeking to retain the benefits of hybrid home/office working practices. This should happen today – there’s simply no better time.