Encryption Basics: What is it, Best Practices, & More
May 16, 2022
Hackers are more aggressive than ever. Traditionally, cybercriminals would only encrypt data before seeking a ransom. But in a move popularized by the Maze group, it’s now become standard practice to copy an organization’s data prior to encryption. This practice, known as data exfiltration, allows threat actors to blackmail victims by threatening to publish or sell the files if their demands aren’t met. According to the 2021 CIRA Cybersecurity Survey, 59% of organizations that experienced a ransomware attack had data that was exfiltrated.
Data exfiltration is an extremely effective coercion tactic and has even secured a ransom in cases where recovery from backups was possible. With deep insight into an organization’s revenue, operations, and business plans, hackers can even tailor their ransom demands and pick the opportune moment to strike.
To safeguard against data theft, all organizations should deploy encryption wherever possible for data at rest and data in transit. Keep reading to learn more.
RELATED: Surviving the Other Pandemic: What’s Ransomware, Who’s at Risk, and Why?
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
What is encryption?
Encryption is a way of encoding or scrambling data so that only authorized parties can read the information. To do so, it changes the original content, known as plaintext, to an alternative form, or ciphertext, so that it appears random and incomprehensible to unauthorized individuals. In order to decipher the data, the viewer must have a cryptographic key to convert it back to plaintext; this reversal process is known as decryption.
RELATED: Ransomware: Should You Pay Up?
Why is encryption effective?
When applied correctly, encryption is one of the most powerful tools in an organization’s cybersecurity arsenal to protect data at rest and in transit. Although encryption can’t stop a breach from happening, it can prevent cybercriminals from repurposing stolen data in future attacks. Even if data is intercepted, only users who have the right key will be able to translate it.
RELATED: Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?
What’s “data at rest” and “data in transit”?
Depending on its movements, data exists in three different states:
Data at Rest
Data at rest refers to all data that is passively stored in one place. Data at rest is not being used or moving between devices or networks and includes all records stored on file servers, network shares, document management systems, cloud storage systems, computer hard drives, flash drives, hard disks, and mobile devices.
Data in Transit
Data in transit, also known as data in motion, is actively travelling from one location to another. This includes all data that moves through email, the internet, instant messaging or communication channels, cloud systems, file sync apps, and more. Once it arrives at its destination, data in transit becomes data at rest. Data in transit is considered to be more vulnerable than data at rest since it’s exposed to more threats while moving between locations.
Data in Use
Data in use is actively being updated, processed, erased, accessed, or read by a system. This includes data opened in pdfs, databases, or any kind of office, corporate, cloud, or mobile app.
How do I protect data at rest and data in transit?
Encryption can be seamlessly integrated into core business applications to safeguard both data at rest and data in transit. Most organizations will benefit from encryption in the following areas:
Hard drives should be encrypted to protect locally stored data. The two most widely used operating systems today—Microsoft Windows and Apple OS X—offer encryption software, known as BitLocker and FileVault respectively. But depending on the nature of your data, your business may require additional security.
Implement end-to-end encryption for all email platforms. End-to-end encryption protects data as it travels between the sender and the recipient. Data is encrypted at the source, unreadable in transit, and decrypted at its endpoint.
Many cloud service providers use encryption to protect client data, but you should still encrypt data before transferring it to the cloud. If data is encrypted by a company prior to offsite storage, it can only be decrypted by authorized users.
All data stored in your offline backups should be encrypted. That way, if hackers manage to infiltrate your backups, they still won’t be able to access your information.
You can secure the connections between remote devices and your business computers by setting up a virtual private network, or VPN.
Best Practices: How do I implement encryption?
1. Determine what needs protection.
Government regulations usually require encryption of sensitive data, with overarching guidelines for certain industries. To maintain compliance, evaluate the sensitivity of your data based on these regulations and identify your primary risks in data management; choose encryption products that reflect the extent of protection needed.
RELATED: All About PIPEDA: How do privacy laws affect my business?
2. Be thorough.
Before selecting an encryption vendor, ask if their encryption algorithm adheres to industry standards, how the encryption key is generated, and whether it will expire after a predetermined period of time. Other key considerations include: the speed of encryption, memory usage, cost, and the range of application coverage. This will guarantee that you’ve selected the right program for your needs.
3. Vet your cloud vendors.
Confirm if your cloud vendors include end-to-end encryption in their services; this guarantees that your vendors will not be able access your data while it’s stored on their servers.
RELATED: The Cloud: Not Just a Place to Daydream Anymore
4. Ensure proper key management.
Once encryption technologies are in place, make sure that the decryption keys are properly managed, select a secure location to store them, and verify that they can only be accessed by authorized personnel.
Is encryption worth it?
We know, it sounds tedious—and costly—to add yet another security protocol to your systems. But if your organization suffers a breach, the cost of recovering from an attack will be significantly higher. In fact, the average cost of a breach is about $4.24 million USD according to IBM Security’s 2021 Cost of a Breach Report.
Even worse? Insurance companies are cracking down on baseline cybersecurity controls, like multi-factor authentication, encryption, offline back-ups, and security awareness training, for organizations before they can obtain Cyber Insurance. Without encryption, you won’t be able to rely on Cyber Insurance to cover your losses in the event of a breach, leaving yourself exposed to potentially millions in remediation costs.
That’s why encryption is vital to your cyber risk management strategy. It won’t just reduce the risk of data exfiltration and help you fend off ransom demands; it’ll improve your overall security posture, ensure you remain in good standing with your insurance company, and mitigate the financial, legal, and reputational consequences of a privacy breach.
RELATED: The Consequences of a Breach: Can Your Business Survive a Cyberattack?
For more guidance on cyber risk management, connect with PROLINK. With 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We can share what steps others in your industry are taking and help you become resilient in the face of attack.
Our dedicated team of risk advisors will help you:
- Identify exposures based on your business operations and unique needs;
- Adopt a proactive approach to risk management to control your costs long-term;
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Secure a specialized solution that aligns with your strategic objectives.
To learn about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today for more guidance!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.