How can you protect your data against the attack and exposure? We have one word for you: Encryption!
You might not always be able to keep a hacker out of your systems but in the unfortunate event someone manages to get in, if you’ve used encryption then the bad guys will have a much tougher time getting to anything of value.
So what does “Encryption! Encryption! Encryption!” really mean? It starts at the basic hardware level with disk level encryption so if any device (a computer, laptop, iPad, smartphone, USB drive, etc.) is lost or physically removed from your premises, the storage on that device is secure. The next “Encryption!” is using it to secure your individual files, and the final “Encryption” is using it to secure any of your sensitive email communications. Let’s start with hardware first.
Storage in all computers (desktops and servers) and mobile devices should be encrypted but servers are a special case. There are two viewpoints on whether using encryption in servers are a good idea; one camp suggests that it introduces an unacceptable performance hit, while the other argues that the performance loss is less important than ensuring security (for example, see Ben Armstrong’s Virtualization Blog). Azstec would argue that for applications that aren’t database I/O intensive you should encrypt your server storage. For I/O intensive database environments, whether or not you encrypt should be determined by an estimate of the cost of loss and exposure of data versus the cost of upgrading your hardware or living with reduced throughput or increased response time.
Encryption: Laptops and Desktops
Disk encryption is a must for laptops regardless if they are used inside or outside of your physical location as they can get lost or stolen easily. We also recommend using encryption on desktops because it’s not impossible for them to be stolen in a burglary. Another issue which is often overlooked is that unencrypted storage is exposed when you send a machine for repair or disposal. Even a failed drive can potentially be recovered so trusting your valuable data with a service organizations or waste disposal company could well be taking an unacceptable risk.
Ban USB Storage (or use Encryption if You Can’t)
One risk that’s often overlooked where security is considered are removable USB storage devices which should always be encrypted. Microsoft’s Bitlocker can be set up to encrypt removable storage and you should have a policy in your organization that all data that is copied from your systems must only be stored in an encrypted form. But even then, Azstec doesn’t recommend the use of USB storage devices except for system management tasks such as creating recovery drives as they’re a huge source of malware. With today’s ease of moving data online we recommend you don’t allow USB storage devices within your organization and consider physically or via software blocking USB ports on your desktops and other devices where practical.
Encryption: Back up tapes
We didn’t have the space to discuss backups and the use of removable storage devices in our original blog post but it’s important to note that all major vendors’ backup applications and tape drives support encryption. If you’re storing backups or archiving offsite you must use encryption for backups and the biggest issue with encrypting tapes and drives (or anything that’s encrypted for that matter) is having a key management system in place so that, in the hopefully unlikely event you have to restore your files, you have the encryption keys (Computer Weekly has a good article on setting up a key management system).
Encrypting individual files with even vaguely confidential content is vital to practical security. If you use cloud storage services for your company, you must encrypt every confidential file you store on the cloud and make sure that only YOU own the keys to this data. There are many cloud services that claim they use encryption on your data, however the only way to ensure your data is as close to 100% secure as possible is if you hold the keys. Azstec is introducing a desktop and web version of docNCRYPT that will allow you to manage the keys to all of your Office documents stored in any cloud for just this reason. We will be shipping a beta version of this software shortly. [update: We have released a version for limited field testing and will be announcing a free beta test program for this product click here and give us your email if you are interested in being a beta customer]
As an example on how important file encryption is in real life, it’s reported that in the Ashley Madison breach the hackers obtained an unencrypted text file that contained the access credentials to the servers. Had Ashley Madison management had a policy of encrypting all files it’s likely that this major breach would never have occurred.
All sensitive and confidential email must be encrypted of course we recommend docNCRYPT as the easiest and most effective email and document security solution. Even though Microsoft and Google both announced they are using TLS to encrypt in-transit email, the fact is that you cannot be sure that your email will go where you think it will go; also human error (autocompleting of email addresses, for example) and service provider mistakes are actually your biggest risk. docNCRYPT also addresses the problem of data at rest (for example, when it lands on cloud storage or mail service systems) which TLS and other “in-transit” solutions do not.
The beauty of docNCRYPT is that it encrypts your data in transit as well as at rest so you and your customers don’t have to worry about complicated portals or custom applications and because it works within your normal workflow within MS Office, it’s painless and easy for you and your staff to use. As we highlighted in a previous post, The biggest problem in security is YOU, the biggest security risk you face is human error which is why we designed docNCRYPT to work within your normal office flow. Security experts Graham Cluley and Bruce Schneier have been harping on this for years. At least we got the message!
Don’t forget we’re also offering a free two-month license for docNCRYPT along with our Azstec Cybersecurity Workbook and an eBook of our responses to the many questions asked during our seminars. These are available for everyone and we encourage you to take advantage of the offer and start protecting your email and documents and, most importantly, your business. Follow the link above and you will get a license key via email together with the two eBooks.
If you are now using a password manager and you start encrypting your data you are well on your way to a safer 2016. Our next blog post which is now published addresses how you can protect yourself against ransomware.
David Griffith used to play golf but is now living and breathing cybersecurity as the CEO of Azstec LLC, the creators of docNCRYPT, the incredibly simple document security solution for everyone. If you have any comments or questions, email David at dgriffith [at] azstec.com and follow the Azstec Blog or on Twitter or LinkedIn.