Encrypting a small business: Why remote working could be your blindspot
Despite many businesses already using encryption, the majority of policies lack complete coverage
In a business environment where cybercrime continues to pose a real and present danger to businesses of all sizes, paying close attention to how data and devices are protected is now of paramount importance. As Werner Vogels, Amazon's chief technology officer recently put it, we need to "encrypt everything".
There has perhaps never been a more urgent time to look at encryption strategies. Government research from 2018 revealed that over two in five businesses (43%) have identified security breaches in their systems in the last 12 months. Some of the most common attacks included staff receiving fraudulent emails (75% of those breached), individuals impersonating the organisation online (28%) and viruses and malware (24%). What's more, security breaches on average cost organisations 894 per incident over the past year.
Legacy systems such as desktop PCs and servers generally use high levels of encryption. However, mobile digital devices often use reduced levels of encrypted security, if indeed they use any encryption at all. According to Sophos, only a third of businesses encrypt the smartphones and tablets they hand out to employees.
Research shows that the majority of businesses do not employ encryption policies for mobile devices
Then there's the cloud to consider, which has become a new battlefield in the fight against cyber crime. As cloud adoption has increased, businesses have slowly handed off the responsibility for encrypting data to service providers that are themselves becoming a favoured target for cyber criminals.
Businesses understand that their customer data, in particular, must be encrypted. Highly regulated industries, such as financial services, have long used strong encryption to meet their compliance responsibilities, with other sectors reacting to high-profile security breaches by enhancing their use of encryption tools and protocols.
For example, the payment card Industry's Data Security Standard (PCI DSS) has strict requirements on how merchants need to employ encryption to protect stored cardholder data. The Data Protection Act 2018 and GDPR (General Data Protection Regulation) both make it mandatory that businesses take practical steps to protect customer data.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Data dispersal
However, companies are seeing that work is changing and that modern workplace practices, such as remote working, are creating new challenges when it comes to protecting data. Many businesses now operate with a highly dispersed workforce, one that still requires secure lines of communication to the office.
Some technologies have helped in this regard. Virtual private networks (VPNs) that use built-in encryption protocols are now becoming widespread, particularly across the small business community because of their relatively low cost and efficient deployment.
Yet this dispersal of employees is often a "barrier to a successful encryption strategy", according to findings from the Ponemon Institute's 2019 Global Encryption Trends report, with many businesses being unable to source where their sensitive data resides.
Some 69% of those surveyed said that data discovery was their biggest headache when it came to encrypting data, 42% found difficulties when first deploying new technologies, and 32% said they struggled to identify what data they should be encrypting as a priority.
For Martin Whitworth, research director of European Data Security and Privacy for IDC, businesses need to have an understanding of the application of encryption, specifically what it can and can't do.
"It is important for all organisations to have a stance, and policy, on encryption," says Whitworth. "However, this should not just be shelfware - it must reflect a well thought out position. In fact, one of the real benefits of developing an encryption policy is that it should drive a greater understanding of the topic, what it can do and what it can't do."
Many businesses already use SSL to encrypt data as it is transmitted
He adds that even those businesses who do have encryption policies in place, these often fail to fully protect data once it has been transmitted to remote workers outside of the organisation's firewall.
"Most small businesses are probably already using encryption - specifically encryption of data in transit, via their use of 'secure' web sites (SSL/TLS) and possibly VPNs for remote access," Whitworth adds. "But they should also be seriously looking at encryption of data at rest; whether this is full disk encryption of laptops and/or smartphones to protect the sensitive data that they have."
Despite there being an abundance of security tools available for businesses of all sizes, he believes that many of these are "off-putting to small businesses" as they are "not easy to integrate with existing applications".
"What is often missing are the skills and knowledge to implement, maintain and operate them appropriately," adds Whitworth, something which hits small businesses the hardest.
Understanding the basics
Despite the challenge facing small businesses, it's possible to simplify the process of encryption, provided you have a well-defined and communicated policy across your business. Data is now your business's most precious commodity - a commodity that must be protected.
The Ponemon Institute research found that 44% of businesses performed encryption on-premise before sending data to the cloud using keys their organisation generates and manage. However, 35% of respondents perform this encryption in the cloud, with cloud providers generating and managing those keys. Some 21% of respondents are using some form of Bring Your Own Key (BYOK) approach.
The quality of any encryption policy is dependent on how keys are generated, applied and managed
Regardless of the favoured approach to encryption, there are basic steps that all businesses should be taking. "Encryption is no longer an additional expense, it's something you can enable on most new devices," explains Oscar Arean, technical operations manager at Databarracks.
"A password on a laptop doesn't make the data secure. It's relatively easy to get access to the data either on the laptop or by removing the disk itself. BitLocker is a good start on new Windows laptops, or Mac's have FileVault. Neither are enabled by default; however, so the first and most important step is actually to enable encryption."
David Sutton is author of Cyber Security: A practitioner's guide, published by BCS. His advice is provided in a private capacity and doesn't necessarily reflect the views of BCS. He believes that encryption can be turned into a fairly straight forward exercise for small businesses, but they should be aware of the added restrictions it could place on day-to-day operations.
"Most commercial encryption software is suitable (or has a product) suitable for small business use," explains Sutton. "For file and disc encryption, there are really no cons."
However, he adds that "for email encryption, both sender and receiver must operate the same encryption standard, which can lead to complications when dealing with other organisations who already operate different systems. On the pro side, it's normally win-win on all types."
How to use encryption
Having a full understanding of the data landscape across your enterprise will help you figure out what types of encryption you need. When data is at rest stored on hard drives, servers or mobile devices, for instance, file or full drive encryption should be considered.
It's when data is in motion that encryption becomes even more vital. When data moves over your business's network or out onto the wider internet, it must have some form of encryption. It's likely your business has continued to expand its use of the cloud in some capacity and is probably developing hybrid cloud deployments. If that's the case, data must be encrypted at rest as well as when it's being transmitted.
Ramon Krikken, research VP Analyst at Gartner, tells IT Pro: "Encryption is considered a baseline control and often provides a first technical step in compliance programs. Encrypted communications, such as TLS (Transport Layer Security), provide a strong control.
"Data-at-rest encryption is more challenging," he adds, "because the layer at which it is deployed determines how much protection it provides - it's but a small part of a larger control set that includes monitoring and access control. In addition, encryption key management for data-at-rest encryption is a critical element, because losing the keys means losing the data."
Employees are often the weakest link in a security system, so you may want to think about extra training programmes
Of course, the quality of any encryption policy comes down to how keys are generated, applied and managed. For larger businesses, this is somewhat of an easier task despite the quantity of data that needs to be encrypted. Cryptography is often managed by in-house experts equipped with expensive hardware and software.
These resources aren't something that's typically available to small businesses, and investing in in-house expertise isn't usually feasible. As a small business, you'll likely find yourself working more closely with service providers. However, if that isn't an option that works for you, you can call upon key management products that are provided as a service. These tend to give you more control over encryption keys, but generally, it's more difficult to maintain full control unless you have the resources to do so.
What has become clear for all business owners is encryption must form a fundamental component of their data security policies. Where data is stored, who has access and, importantly, how data is protected when in transit and at rest, all require strong encryption protocols.
The use of mobile devices has also moved the perimeter of the security environment businesses have to manage outside of the control of their premises. Ensuring all data communications use strong encryption is now critical to meet data protection and regulatory privacy requirements.
Also, don't forget your staff. Consistently, one of the weakest links in a security system will often be the people handling data. Ensure your business has detailed and on-going education and training to encompass the encryption tools you are using to ensure they are always correctly used and not avoided for forgotten.
David Howell is a freelance writer, journalist, broadcaster and content creator helping enterprises communicate.
Focussing on business and technology, he has a particular interest in how enterprises are using technology to connect with their customers using AI, VR and mobile innovation.
His work over the past 30 years has appeared in the national press and a diverse range of business and technology publications. You can follow David on LinkedIn.