Data encryption: How to avoid common pitfalls and improve cybersecurity
Data encryption is a vital component of cybersecurity. But many organizations take the wrong approach in their encryption strategies, making mistakes that either leave them at risk or cause headaches down the line.
Encryption is not something to get wrong, especially as hackers capitalize on the pandemic.
The FBI’s Cyber Division is receiving as many 4,000 cyberattack complaints per day, a 400% increase compared to pre-COVID-19 figures. In March 2020 alone, phishing scams related to the pandemic jumped 667%, according to Barracuda Networks. And, from January to October of 2020, data breaches exposed 36 billion records.
In this post, we’ll take a closer look at data encryption strategies, including how to make sure you’re encrypting the right data, how to avoid common pitfalls, and how to adhere to best practices.
What types of data should your company encrypt?
Before encrypting anything, ask yourself: What information is most important to your business? The answer will vary from company to company, and industry to industry.
One obvious place to start is with regulation. There are over 1,800 data privacy regulations worldwide, including the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and the Payment Card Industry Data Security Standard (PCI DSS). Most companies must adhere to multiple regulations, so identifying the critical data – social security numbers, names and addresses, credit card numbers, and so on – that falls under your compliance requirements is critical.
Deploying discovery technologies can help you maintain compliance. These tools build a template around a regulation, then look through your applications, files, storage, and cloud, and cross-reference the information, identifying the necessary data.
Aside from what falls under compliance, be sure to identify and encrypt your company’s essential intellectual property (IP). And if you’re moving that data to the cloud, consider encrypting it before doing so.
Only once you’ve identified your critical information can you protect it.
The most common encryption mistake
Once you’ve determined what to encrypt, plan ahead to avoid one of the most common pitfalls that can derail the process.
Encrypted data comes with an encryption key, and oftentimes, companies store these keys incorrectly. If you’re storing them in your database or file system, for example, it’s time for a new strategy.
Storing your keys centrally is the best practice. That way, if the person who’s storing the key leaves your company, or the laptop the key is stored on gets lost or destroyed, or if the data you’ve encrypted is no longer sensitive, and you want to delete it, you’re fully prepared.
In addition to securing your keys centrally, make sure you’re consistently backing them up, archiving them, and rotating them.
Creating the encryption key is important, but managing the key lifecycle is equally vital.
Best practices for data encryption
Another commonly overlooked aspect of encryption is policy management.
Not all encryption is created equal. You may have different levels of encryption for different aspects of your business. Make sure you’re implementing appropriate policies around each element of the data stack – from applications, to files/folders, down to storage.
For example, if an application handles sensitive material, there may be an approach to encrypt or tokenize the sensitive data immediately. It comes down to identifying where the data is being created, how it’s being stored, how it’s being used, and then applying encryption at the right level.
Another best practice centers on encryption management, or defense in depth. You don’t want to give encryption management capabilities to just a single person.
Keep a close eye on access management and create separate levels of duties with different access controls. That way there’s not a single point of failure, where hacking one person’s credentials can give a bad actor access to all your sensitive information.
Additionally, encryption is not a one-off thing. Make sure you’re constantly monitoring your data and employing a strong audit and logging mechanism. That way, you can quickly identify malicious activity and react appropriately.
Don’t put your head in the sand
With more employees working remotely because of COVID-19, there’s an even greater risk of sensitive data getting into the wrong hands.
Fortunately, there are many data discovery and classification tools and data protection tools available, making encryption much easier to implement.
Utilizing a unified data security platform that combines all of the elements mentioned above – discover, protect, and control – can give you a single place to manage and control all of your sensitive data. You just have to be sure that you’re deploying encryption technology properly.
Only then can you help your business meet evolving data privacy requirements.
About the author
Todd Moore is the head of the Encryption Products portfolio at Thales Cloud Protection & Licensing, where he drives the strategy for the company’s industry-leading data encryption portfolio. Moore is a respected cybersecurity professional with more than 20 years of experience helping enterprises protect their most sensitive data and applications.