In the digital age we have reached a point where an organisation’s data is its most valuable asset. While data regulation has been strengthened to reflect this growing value, the sophistication of hacker’s techniques has also increased, making it a very dangerous time to be leaving yourself vulnerable to the risk of a data breach.
With the EU’s General Data Protection Regulation (GDPR) coming into force earlier this year, it has been a cause for concern for many organisations. Research we conducted in May ahead of the GDPR compliance deadline, showed that less than a third of surveyed organisations felt confident they would comply with the regulations. On top of this, fifty three percent of organisations surveyed cited the complexity and management of the technology that employees need and use to protect corporate data as a major barrier to compliance. Another issue cited was employees lacking the necessary skills or technologies required to keep data safe.
Taking into consideration the above, and the fact that threats to businesses increasingly involve human targeting and social engineering to gain access to data, even the savviest employees are now at risk of succumbing to hacking attempts. At first glance, protecting your data in such a climate can seem like an impossible task, but there is an easy way to cover your own back and comply with regulation.
Encrypting your data
Encryption is necessarily complicated with primary numbers, multiple algorithms, symmetric and asymmetric keys and a plethora of three letter acronyms. However, to the average user, there is no need to understand this. Encryption should be automatic and invisible.
When properly embedded within a holistic information security plan, it will provide the most effective last line of defence. If bad actors manage to break through gateway defences to access internal servers, or data is intercepted whilst being transferred electronically or, for that matter, physically on removable media, as long as the bits and bytes recovered are unintelligible to an unauthorised recipient, the last line of defence has held firm. Granted, the encryption must be correctly implemented with sufficiently strong encryption keys, ideally protected in hardware, so that the only method of attack is brute force. If you can also manage the number of unsuccessful brute force attempts before determining the device holding the data is being attacked and act, you build in another layer of protection.
In the same survey that revealed employers are worried about compliance with GDPR due to a lack of understanding surrounding different technologies and applications, it was also revealed that only half were completely confident in their encrypted data; be it in transit, in the cloud or at rest. While regulation like GDPR does not prescribe specific technologies, it does require “the pseudonymisation and encryption of personal data” (Article 32). And in fact, GDPR Article 34 states that in the event of a breach, if the data at risk is encrypted, the organisation is no longer required to contact each data subject affected, avoiding the resulting administrative costs and potential reputational damage. While encrypting your data is by no means a get out of jail free card when it comes to complying with data protection regulation, it certainly makes achieving compliance a far more attainable goal.
In itself, data encryption isn’t a silver bullet. Specific policies and processes should be created and enforced to protect data when it is outside of central IT systems, including policies that relate to removable media, mobile devices and flexible working. This is an important point as one in ten companies admit its security strategy does not currently cover storage devices such as USBs. This is concerning when this time last year, a USB stick was discovered in London, and contained information detailing the exact route the Queen takes to the airport and her security measures as well as for cabinet ministers and foreign dignitaries. It also reportedly contained other sensitive information such as a timetable of security patrols guarding against terror attacks and the types of ID needed for restricted areas. The fact that such high level, sensitive data was accessible on a USB, highlights the necessity for encryption across all devices.
It is vital to remember that you can encrypt your data at many levels, and often businesses can focus solely on the storage layer leaving themselves vulnerable to attacks at unprotected points. The organisation’s information security policy should be enforced through technology where possible, and encryption processes should include the mandating of a FIPS certified, hardware encrypted mobile storage device, and the enforcement of its use through policies such as whitelisting and locking down USB ports so they can accept only approved devices. The user shouldn’t be left with a decision to encrypt or not.
Effective data encryption leaves your organisation in good stead for compliance with GDPR and other regulations. However, it is important to consistently re-evaluate your data protection practices and where the chinks in the armour might be, be it mobile working technology or your employees’ personal understanding of the importance of data security – protecting your data is protecting your organisation. Organisations should analyse their data, identify everything that should be protected, understand where it exists and how it is transported and ensure that it is encrypted at all stages of its lifecycle.