To encrypt or not to encrypt?

– To encrypt, or not to encrypt? –

Encryption is a hot topic in security circles these days.

There are lots of different viewpoints about whether to encrypt or not.

All of us here on Naked Security will tell you that you can’t have enough encryption.

Wisely used, encryption gives you a valuable extra layer of protection against hackers, eavesdroppers, intellectual property thieves and many other sorts of cybercriminal.

Regulators and auditors will not only advise you to encrypt your data, but even insist that you encrypt some or all of it.

Regulators are becoming increasingly strict about encrypting sensitive data, to the point that the US Appeals Court recently ruled that it is unfair business practice not to protect your customers’ information.

A few politicians and policy makers are trying to go in the other direction.

They want us to turn back the clock and stop using encryption, or to accept weakened implementations, to make it easier to catch crooks and terrorists.

(We can’t see how security can be strengthened by deliberately weakening it, but this controversy around encryption is only making it an ever hotter topic!)

And there are many businesses – particularly small ones – who are, quite simply, a bit shy about using encryption.

Either they don’t think their assets are of any interest to cybercriminals, and therefore they don’t need to encrypt at all, or they think encryption is likely to be more trouble than it’s worth.

To help you find your way through the myths and misconceptions, here are five tips to help you answer the question, “To encrypt or not to encrypt?”

In any organisation, data is valuable.

That may be customer information (names, email addresses, credit card information, and other personally identifiable information like Social Security or national identity numbers), internal financial information, employee information, intellectual property, and more.

Unfortunately, that data isn’t valuable only to you.

It’s also valuable to criminals who get hold of it illicitly, whether that’s through lost USB keys, stolen laptops, unsecured backups, unprotected databases, or any other means.

Even if the criminals who steal your data don’t intend to use it themselves, they can sell it on underground markets, where other criminals who have a clear plan for it may buy it up for nefarious purposes.

Additionally, some hackers see value merely in havoc, by exposing your data in what’s called a “dump,” where they publish everything they can get about your organisation, even the most private correspondence with staff members or customers, for the whole world to dredge through at its leisure.

In those cases, the damage to your brand, your workforce and your customers can be inestimable.

Simply put, encryption is an excellent way to protect all kinds of data, so we recommend you encrypt your data whether you are legally obliged to or not.

There’s an old saw that says, “You can’t get something for nothing.”

But most modern computers, even laptops and mobile devices, rarely run at full capacity. Some of today’s phones, for example, have quad-core, 6-core and even 8-core processors.

A few years ago, you might have found a measurable difference between an unencrypted and a fully-encrypted hard disk, and even have noticed the difference during regular work.

We think that you will be hard-pressed to spot the difference in performance today.

Of course, the crook who steals your laptop will definitely tell the difference: he (or the criminal he sells it on to) will typically be able to copy absolutely everything off an unsecured laptop, but nothing at all off a properly encrypted one.

→ Just having a password isn’t enough. Boot-time passwords and logon windows can stop crooks using your computer directly. But by transferring your hard disk or SSD to a computer of their own, they can grab all your data and analyse it at their leisure.

Encryption is like locking your data up in a safe – it’s secure against anyone who doesn’t have the key.

So, encryption without proper key management is risky: if the bad guys get at the keys, they can access your secrets; but if the good guys forget their keys, they can’t do any work.

A good encryption product makes it easy for an organisation to keep track of what is encrypted, and how, as well as providing a secure mechanism for what’s called key recovery.

That’s useful if someone forgets their password, or quits the company in a huff.

But beware: there is a big difference between “key recovery” and a “backdoor”.

A backdoor is like a safe that can always be opened with the secret built-in combination 31-33-7 if the real combination gets forgotten.

Backdoors have a nasty habit of not staying secret very long, so avoid any product with a backdoor.

Key recovery, in contrast, provides an alternative decryption key that can only be retrieved by someone (or sometimes by two or more people acting together) whose authority over the encrypted data is the same as or better than the user who forgot their password.

Some cloud providers transparently encrypt your data after you upload it, and decrypt it for you before you download it again.

That’s good, because it means that if someone breaks in and steals their hard disks containing your data, the crooks will probably end up with shredded cabbage.

But cloud-only encryption is not enough, which is why we recommend that you encrypt your data before it leaves your computer or your own servers, and decrypt it after you’ve downloaded it, even if the cloud provider encrypts it as well.

The problem with pure “in the cloud” encryption is that the cloud provider has to be able to decrypt your data to send it back to you, so he could, in theory, decrypt it at any other time, too.

And even if you trust your provider implicitly, you can’t always control where in the cloud infrastructure your data is stored.

So your data could end up – for example as part of a law enforcement operation that has nothing to do with you – decrypted by order of a court without you having any say, or even being told.

A good encryption product makes it easy to encrypt cloud uploads automatically before they leave your computer or your network, in just the same way as ensuring that files stored onto removable devices are encrypted before they are copied across.

Why wouldn’t they be?

If a crook can steal your data with an effort costing $0.02 and sell it for $200, why wouldn’t he?

Especially if he can write a script to scour the internet looking for weakly protected computers, and then steal the data automatically while he’s asleep.

According to the 2015 Verizon Data Breach Investigation Report, over 700 million records were compromised in 2014, and 53% of confirmed data loss incidents were in organisations with fewer than 1000 users.

No organisation anywhere in the world is immune to data theft and loss, regardless of geography, size or industry sector.

Encryption won’t guarantee to prevent or mitigate every possible sort of data breach.

But, like firewalls, email filtering, an intrusion prevention system, anti-virus, patch assessment and many other security tools, encryption adds another important layer of protection.

Encryption can help you ensure that if the worst happens, and criminals make off with your laptop, phone, server, removable disk, and so on, then when they try to extract your precious data…

…they really do end up with just shredded cabbage.

Image of Hamlet and Yorick (deceased) courtesy of Shutterstock.