madhu-maganti-web-2018

By Madhu Maganti, CPA, CISA – Director of IT Assurance and Security, Doeren Mayhew

The need for encryption is at an all-time high with an increasing number of organizations and consumers falling victim to a whole host of cybercrimes. Cybercriminals never rest, which  means organizations need to be vigilant as well as ensure tough security measures are implemented. According to industry experts, the biggest challenges in planning and executing data encryption technology include discovering where sensitive data resides in the organization, initially deploying the encryption technology and classifying which data to encrypt.

You will find encryption in most things that run using an internet connection, from messaging and personal banking apps, to websites and online payment methods.

And for consumers, making sure your data cannot be stolen or used for ransom has never been more important.

What is Encryption?

Encryption prevents unauthorized access to your data, from emails to chat messages and bank details, by keeping communication secure between the parties involved.

This is done by ‘scrambling’ the information sent from one person to another into a lengthy code making it unreadable for anybody else attempting to access it.

Once the data is encrypted, the sender and receiver are the only people who can decrypt the scrambled information back to a readable condition. This is achieved via ‘keys’, which grant only the users involved access to modify the data to make it unreadable and then readable again.

More simply explained, imagine encryption to be like translating your information into a language only you and your recipient know, and more importantly which a cybercriminal can’t translate.

Why is Encryption Important?

The purpose of file and disk encryption is to protect data stored on a computer or network storage system. All organizations, including small- and mid-sized businesses (SMBs), that collect personally identifiable information (PII) like names, birth dates, Social Security numbers and financial information must secure that information. Ensuring this information is secure by your organization is critical as you can be legally held responsible if a computer containing PII is comprised.

According to a recent study held by the Ponemon Institute, the most significant threats to the exposure of sensitive or confidential includes:

  • Employee mistakes – 47 percent
  • System or process malfunction – 31 percent
  • Hackers – 30 percent
  • Temporary or contract workers – 22 percent
  • Malicious insiders – 22 percent

If a laptop is lost or stolen and the files or disk are not encrypted, a thief can easily steal the information, so it’s a good practice to encrypt your sensitive data, if not your entire hard drive. The thief doesn’t even need to know the sign-on password to access the files – it’s easy to boot a computer from a USB thumb drive and then access the disk within the computer.

Disk encryption doesn’t protect a computer entirely. A hacker can still access the computer over an insecure network connection, or a user can click a malicious link in an email and infect the computer with malware that steals usernames and passwords. Those types of attacks require additional security controls, like anti-malware software, firewalls and awareness training. However, encrypting a computer’s files or the entire disk greatly reduces the risk of data theft.

How Does Encryption Work?

In the online world, encryption disguises data by rearranging the data bits so information can’t be read or seen without the secret key. This key can consist of a password or a digital file, also known as a keyfile. Encryption secures plain text as well as any other digital media like photos, videos or software, and you can also encrypt a whole operating system and a partition.

To secure data, encryption uses mathematic functions known as cryptography algorithms, also known as ciphers. Some examples of well-known and trusted cryptography algorithms are AES, Blowfish, Twofish and Serpent, and these ciphers can be subcategorized with a number indicating its strength in bits.

An encryption algorithm key length indicates its size measured in bits. The length indicating the algorithm strength in bits will always be even (bit is a binary unit composed of zeros and ones), and these keys are used to control the operation of a cipher.

The more mathematical strength the encryption algorithm has, the more difficult it will be to crack it without access to the key, but a strong cipher normally requires more computational power. A few seconds of waiting might not matter much to the home user, but for businesses dealing with thousands of calculations each hour to decrypt/encrypt data in their servers, it means that more money has to be spent in hardware and electricity.

Advantages of Encryption

A few advantages of encryption include:

  • Maintains Integrity: Hackers don’t just steal information, they also can benefit from altering data to commit fraud. While it is possible for highly skilled and technical individuals to alter encrypted data, recipients of the data will be able to detect the corruption, allowing for a quick response to the cyberattack.
  • Secures Data: Encryption works when data is stored or transferred, making it an ideal solution no matter how data is being used. Usually, data is most vulnerable to attack when being moved from one place to another, therefore encryption ensures protection during this process.
  • Protects Privacy: Encryption is used to protect sensitive data, including personal information for individuals. Encryption therefore ensures anonymity and privacy, reducing opportunities for surveillance by both criminals and government agencies. Encryption technology is so effective that some governments are attempting to put limits on the effectiveness of encryption.
  • Protects Multiple Devices: Mobile devices are a big part of our lives, and we often own several. As technology develops, more and more of these devices are joining the Internet of Things (IoT) phenomenon. Encryption technology can help protect data and sensitive information across all devices, whether being stored or even during transfer.
  • Ensures Compliance: Many industries and organizations have strict compliance requirements to help protect the company’s data and its customers or clients. Doeren Mayhew assists clients with regulatory compliance assessments such as HIPAA, GDPR, NYDFS 500, etc. and we opine on the strength of the existing encryption processes, as well as provide recommendations based on benchmark practices.

Encryption Security Tips

  • Always choose an encryption program that uses a standard cipher that has been scrutinized by experts, e.g. AES.
  • Do not use dictionary words as your password. Use a long passphrase made up of capital and small letters with punctuation signs and numbers.
  • Do not use the passphrase you use to encrypt your data for anything else like your webmail password or an online forum which security can be compromised.
  • Never trust a third-party service to store your encryption keys or carry out the encryption implementation, if you store data online encrypt it yourself in your computer.
  • Watch out for keyloggers and malware in your computer that could capture your keystrokes and your secret passphrase, use an updated antivirus and firewall.
  • Never reveal your password to anyone, not even to an IT support desk.

Our dedicated professionals within Doeren Mayhew’s IT Assurance and Cybersecurity Group work with several SMBs to identify potential security threats through appropriate testing and implement recommendations minimize their cyber risk. For assistance with navigating today’s cybersecurity threats and exploring options to protect your security posture, contact our leading cybersecurity advisors today.