Encryption has been described as useless if users are not instructed on how to use it properly.
Mike Gillespie, a director at consultancy Advent IM, claimed that security needs to become part of the mechanism of businesses. In the typical line of business, Gillespie claimed that it looks at best practice and compliance and has been focussing on security being holistic rather than technology.
As a result of this, he observed that people, processes and physical security need to be given equal measures of attention.
Gillespie said: “It is a combination of education and technology and if you have one without the other it fails, you wouldn't put someone on a fork lift truck without any training but at the same time you put someone in charge of a massive database without the right knowledge.”
He further claimed that general knowledge around encryption is limited, citing one incident with a client who believed that if they closed the laptop the data would be encrypted, with another claiming that if they have encryption they do not have to worry about secure disposal.
Gillespie said: “Encryption causes people to be less careful, the user says that their laptop is encrypted and if I lose it the data won't be breached. Encryption is only as good as data encryption, yes 256-bit encryption is the strongest but 256-bit with user authentication can be broken in hours as users do use easy passwords and it becomes effectively flawed. We need to look at the big picture rather than technology.”
He also pointed to a recent report by The National Archives, which claimed that most organisations do not have senior management who do not understand risk. “Compliance and governance are a big part of security that needs to be considered at board level and needs to be risk assessed. Most big organisations are not doing risk management, it is still being kept away from board level,” said Gillespie.