Deploy encryption to enhance security, not just to meet compliance requirements

News by Chandu Gopalakrishnan

Encryption is no longer a compliance issue, but a proactive business choice, required to protect the proliferating volumes of data that we now produce.

Compliance is no longer the primary reason for global businesses to adopt encryption. A study by nCipher Security and the Ponemon Institute found that encryption is transitioning from being viewed as primarily a compliance requirement to something businesses are adopting as a proactive choice to safeguard critical information. Meanwhile, the proliferation of data that needs to be protected has become a key challenge.

UK businesses often start using encryption primarily to ensure protection against specific or identified threats, while protecting customer personal information is the top driver for global businesses to deploy encryption for the first time according to the report. 

The study sourced information from 17 locations internationally covering sectors ranging from financial services (15 percent respondents) to entertainment and media (two percent). Compliance has fallen to the fourth most popular reason to adapt encryption.

“Many regulations do not go as far as to directly mandate encryption as a specific data protection mechanism,” John Grimm, vice-president of strategy at nCipher Security, told SC Media UK.

“However it (encryption) is frequently cited as an example of an acceptable and popular method (of protection). PCI DSS is an example of a regulation that directly requires and specifies encryption for payment card data.”

Encryption needs to deployed well to be effective, with strong, industry-validated algorithms, keys of appropriate length, and well-implemented software playing crucial roles in the effectiveness of an organisation’s encryption process, he noted.  

“Most importantly, assure that the encryption keys themselves are well protected. Encryption always must be accompanied by best-practice-based key management in order to accomplish its purpose in protecting sensitive data. Encryption without protecting the key is like locking your house, but leaving the key under the doormat.”

Several techniques such as homomorphic encryption, multi-party computation, and quantum algorithms help in increasing the effectiveness of encryption, but these are early-stage technologies and are not yet ready for mainstream use due to current limitations. According to the study, practitioners don’t see any of these three impacting enterprises for at least the next five years.

“Homomorphic encryption enables you to perform operations on encrypted data without ever decrypting it. This can eliminate vulnerabilities of data exposure when it is being operated on. Multi-party computation breaks transactions into multiple parts and relies on multiple parties to each perform a piece of an entire operation. Quantum resistant algorithms will not be breakable when quantum computing reaches the ability to break current public key algorithms such as RSA and ECC,” Grimm explained. 

Currently, employee mistakes remain the most significant threat to sensitive data, prompring  54 percent of respondents to practice encryption. Attacks by hackers (29 percent) and malicious insiders (20 percent) came a distant second and third. Legal data access demands (12 percent) and government snooping (11 percent) were among the least significant threats cited.

The Insider Data Breach Survey 2020 by Egress showed that legal sector IT leaders and employees from the Benelux region as well as the US and UK listed insider breaches as a prime threat.

“It’s just not possible to be 100 percent secure. With an ever-growing attack surface, classic network protection is not the best way forward. Sometimes you won’t even notice you’ve been breached. In the end, the most important thing to do is to protect your customers' data,”  observed Anna Russell, EMEA VP at comforte AG. 

“Encryption and tokenisation are actually more important than access security, because the data would be protected in a way that makes the data meaningless and worthless to a hacker or bad actor. The encrypted or tokenised data could not be listed for sale on the dark web because the data would be undecipherable,” she added.

Organisations, on their part, have started adopting blockchain, with cryptocurrency/wallets, asset transactions, identity, supply chain and smart contracts cited at the top use cases, Grimm pointed out.  

“A quality of blockchain that is valuable from a security perspective is that it lets entities or individuals who don’t know each other or have any form of trust relationship to conduct verifiable transactions,” he said.

However, the adaptation of encryption techniques depends on the “pain threshold” of the organisation and the sector, said the study. 

“The pain threshold in this context relates to how painful respondents believed encryption key management to be. This was defined based on the rating done by respondents on how painful managing the encryption keys is, between seven and 10 in a 10-point scale with ten being the most painful. The greatest sources of pain in relation to key management were: lack of clear ownership (66 percent); lack of skilled personnel (57 percent); and isolated and fragmented systems (48 percent),” Grimm described. 

Germany, with some of the strictest privacy laws in the world, leads the list in 'pain threshold', said the study.

“German respondents reported using a greater variety of key management systems than other markets. As one of the countries blazing the trail for others in meeting some of the strictest demands on encryption, Germany feels these global pains particularly acutely,” Grimm said, interpreting the high score.

“Additionally, the problem of lack of ownership was particularly acute in Germany, where that was reported by an astounding 93 percent of respondents (compared to the global average of 66 percent), suggesting struggles between application owners and IT security stakeholders.”

The biggest factor that prohibits management from adopting better security policies is the relentless pressure to choose between high security and seamless access: protecting their customer data, business critical information and applications while ensuring business continuity, he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews