Self-inflicted ransomware: Is your data hostage to uncontrolled encryption?
Self-inflicted ransomware: Is your data hostage to uncontrolled encryption?

Thanks to attacks such as WannaCry, Petya, and Bad Rabbit, ransomware was one of the biggest cyber-security stories of 2017. Encryption malware infected devices on an unprecedented scale, costing organisations billions in lost revenue and new expenses, in addition to the millions paid out in fruitless attempts to recover affected data.

Ransomware grabs headlines because it hits hard and fast. Unlike other security breaches that take months to detect, ransomware locks down data the moment it executes, throwing the victimised organisation into immediate chaos. For example, the Netherlands' TNT Express could not function after its systems were infected by Petya in June, leading to massive service disruptions that cost its parent company—FedEx—more than US$300 million (££225 million).

The lesson of ransomware is this: no organisation can survive without proper access to its data. What many organisations fail to appreciate, however, is that their own employees are putting critical information at risk of permanent lockdown every day, without the need for ransomware to do the dirty work.

Uncontrolled encryption—the use of encryption technology in the absence of (or in violation of) a corporate policy—creates the same problems as a ransomware attack. Employees who encrypt files and devices using their own tools render important data inaccessible to anyone without the key, disrupting the flow of information and causing issues throughout the organisation.

The road to cyber-security hell…

Employees rarely encrypt data to purposely sabotage their employers. On the contrary, uncontrolled encryption is usually a sign that employees understand the value of sensitive data and want to protect it. The problems arise when companies fail to provide tools that allow workers to keep data safe using a standardised approach.

Companies that lack formal encryption policies are at the greatest risk, as they leave employees to decide if, when, and how to protect their data. Without a policy to guide them, well-intentioned workers often take matters into their own hands. Most productivity tools and cloud storage providers now offer encryption functionality, so employees have a wide variety of products from which to choose, any one of which can potentially prevent anyone—the employer included—from accessing the encrypted data.

Organisations with established, but outdated or difficult-to-use encryption policies and tools, run many of the same risks. Employees are forced to choose between three problematic options: leaving data unprotected, disrupting their work to use the company encryption tool, or protecting data on their own.

Whatever the reason, once an employee encrypts a file or device on his or her own, the company has no control over what happens next. The employee might neglect to share the decryption key with someone who needs it, might leave the company without decrypting the data, or might simply forget the passphrase. Modern encryption algorithms are too strong for any computer to break (hence their popularity with ransomware creators), so if the decryption key is unavailable, the data is effectively lost forever.

A hidden threat

Unlike ransomware, uncontrolled encryption does not announce itself all at once. The problem grows gradually, being revealed each time an employee or business partner attempts to access data someone else has locked using their own tool. Unless someone recognises the pattern, the disruptions can continue for years, ultimately damaging business relationships and reducing efficiency.

Uncontrolled encryption also creates problems for data loss prevention (DLP) scanners, the technology responsible at many organisations for ensuring sensitive information is not shared outside the company by unauthorised parties. DLP scanners cannot access files encrypted by user-selected tools, so outgoing traffic must either be blocked, re-routed, or (as is usually the case) allowed to proceed without the proper inspection.

Each high-profile data breach increases our awareness of the prevalence of cyber-threats and the importance of data protection. Employees, if for no other reason than to protect their own jobs, will become increasingly reliant on encryption to protect the data they deal with in their work. Organisations who implement thoughtful data protection policies and user-friendly tools can turn this behaviour to their advantage and enjoy the benefits. Those who don't will find themselves vulnerable not only to external threats, but to internal havoc of their own creation.

Contributed by Joe Sturonas, chief technical officer, PKWARE

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.