While encryption as a means of securing data can trace its roots back to the earliest days of employing cryptology to send secret messages. However, from an IT perspective encryption first began to be applied to data with the arrival of the public encryption standard and public-key cryptology way back in the 1970s. Almost 50 years later and the “Encrypt Everything” movement is finally gaining some momentum. At an AWS Summit event this week Amazon Web Services (AWS) CTO Werner Vogels encouraged attendees to make sure they encrypt everything now that encryption has been built into over 165 different AWS services.The biggest challenge organizations face as far as encrypting data is enforcing their encryption policies. The simple fact of the matter is people simply forget to encrypt data. Click To Tweet
global survey of 5,856 business and IT professionals conducted by The Ponemon Institute on behalf of nCipher, a provider of encryption software, finds 45 percent of respondents say their organization has an overall encryption plan that is applied consistently across the enterprise. Another 42 say their organization has a limited encryption plan or strategy that is being applied to certain applications and data types. The survey also notes that the biggest challenge organizations face as far as encrypting data is enforcing their encryption policies (73%). The simple fact of the matter is people simply forget to encrypt data.
There’s nothing wrong with encrypting data as part of a cybersecurity defense strategy. In fact, regulations such as the General Data Protection Rule (GDPR) being enforced by the European Union (EU) requires organizations to encrypt sensitive customer data. But organizations that do encrypt data are likely to have a false sense of just how secure that data really is. One of the reasons cybercriminals are so focused on compromising credentials is because it allows them to authenticate themselves to any system. They may not be able to copy data that’s been encrypted, but they can still see that data and, most significantly, change it. That may not sound like a huge threat. But when you think about the impact a change to a key piece of data could have on, for example, a process control system, it quickly becomes apparent that encrypting data by itself isn’t nearly going to enough to ensure cybersecurity. Not only will someone invariably forget to encrypt data, but there’s also a lot of damage that can be inflicted whenever anyone gains access to data whether it’s encrypted or not.One of the reasons criminals are so focused on compromising credentials is that it allows them to authenticate to a system and see or modify encrypted data.Click To Tweet
Of course, the primary method cybercriminals still rely on to gain access to data is old-fashioned phishing attacks. As these attacks have become more sophisticated, targeted attacks against individuals that are known to have access to organizations are being specifically targeted using what is known as a “whaling attack.” The fact that a lot of the data that these individuals have access to is encrypted is not much of a deterrent. After all, information is power. Just knowing something in advance, for example, can impact the value of a stock. Naturally, it’s also worth noting that some of those whaling attacks are being targeted at individuals that have the keys required to decrypt all an organization’s data.
All in all, encryption is a very good thing to apply as broadly as possible. However, just because data has been encrypted once it doesn’t always necessarily follow that it will stay that way.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.