Data Encryption: Importance, Best Practices, IT Compliance

Why Is Encryption Important?

More and more companies get breached these days, undergoing huge financial and reputational losses. Over 5 billion records were compromised in 2019. The 2019 data breaches cost businesses over $2 trillion in total. The chance of a company becoming a data breach victim raised to 29% over the next two years.  43% of major data breach victims immediately go out of business.

29%

The chance of a company becoming a data breach victim over the next 2 years 

> 5 bln

 Amount of the records compromised in 2019

43%

Of major data breach victims immediately go out of business

Statistics don’t get any better in 2020. According to CRN,  More than 3.2 million records were exposed in the 10 biggest data breaches in the first half of 2020, with eight of the top 10 breaches occurring at medical or health-care organizations. Breached records include sensitive data such as patient information, health records, payment data, etc.

Company

Number of Records Exposed

Reason

Tandem Diabetes Care140,781Unauthorized person gained access to an employee’s email account
Aveanna Healthcare166,077Suspicious activity relating to a number of employee email accounts
BST & Co., CPAs170,000A ransomware attack that encrypted files on its computer network
PIH Health199,548Employee email accounts had been accessed without authorization
Ambry Genetics232,772Unauthorized access to an employee’s email account
BJC HealthCare287,876Unauthorized person gained access to the employee email accounts
U.S. Marshals Service387,000A public-facing United States Marshals Service server was noticed to have been breached
Wichita State University440,968An unauthorized person gained access to a Wichita State University computer server
Elkhart Emergency Physicians550,000Confidential documents entrusted to Central Files had been improperly dumped in an unsecured South Bend-area location
Health Share Of Oregon654,362Personal information of its members was located on a laptop that was stolen

According to the report, poor security measures lead to huge amounts of sensitive information exposed and accessed easily. 

The pattern of breaching data has not changed for years. Getting access to data using employees’ email accounts still appears to be a top weakness for most organizations. Another reason for breaching data, is, of course, poor security measures on a server level. And this data only shows the vulnerabilities we know about. In many cases, companies don’t even realize they have been breached due to a lack of traceability measures taken for such events.

For this reason, it’s important for companies to encrypt their data. But not just encrypt everything – encrypt the data critical to the company – such as personally identifiable information,  health records, payment data, confidential information, etc.

Encryption: Why it's not so simple?

Bozhidar CEO of LogSentinel

“We already have encryption” means nothing

Bozhidar Bozhanov, CEO of LogSentinel

Encryption can be implemented in many different ways and on many different levels. Simply encrypting data at rest or data storage is not enough. 

The use cases where encryption is ought to be implemented, are:

  • Protecting sensitive data
  • Protecting confidential communication 
  • Authentication 
  • Digital Signatures

Also, encrypting data only at one point does not make it secure at all levels. The types of data encryption are:

  • Data At Rest 
  • Data in Transit
  • Data in use

 

Therefore, if only data at rest is encrypted, it’s still exposed in use and in transit. To minimize the risk of data breaches, every single aspect of it should be considered.

Encryption Best Practices 

Encrypting data is not a trivial task. It requires involvement in many teams and efforts.  Furthermore, the more data the organization handles, the more it seems like a mission impossible.

Therefore, the data that is supposed to be encrypted by organizations should be “As much as possible, but no more”We have separated the encryption best practices per organization roles, to make it more clear how the efforts put for protecting data should be distributed across teams: 

Encryption Best Practices Per Organisation Role

DeveloperSys AdminInfosec Officer

• Be able to encrypt sensitive data within the application

• Use secrets manager via API

• Discard and shred keys used in memory

• PKI and CA setup and support

• Setup LUKS or similar wherever possible

• Manage network policies for access to HSMs

• Introduce encryption policies

• Make sure HSM (or IaaS KMS) policies are properly implemented

• Cryptography training and knowledge sharing

Encryption Best Practices: Action Plan & Encryption Policies

As we stated, the Information Security Officer should make sure that the data handled by the company is reviewed, and based on the findings, encryption policy is introduced.

To fulfill the encryption best practices, you need an action plan in place, covering the following 4 points:

1. Assess the Data to Encrypt

Information Security Officers are well aware that it seems impossible to encrypt all data, and therefore you should assess which data should be encrypted with priority – i.e. which data would harm the organization the most in cases of being lost or compromised. 

Personal Identifiable Information (PII) and Personal Health Information (PHI) require data encryption in order to meet the regulations guarding personal data. Cardholder data, on the other hand, is required to be protected to meet payment security standards.

Even when data encryption is not exclusively mentioned, it happens to be the only appropriate security safeguard, and therefore taken into consideration.

2. Formulating a Security Strategy

A successful security strategy should take into account different internal and external security aspects, such as:

Regulatory requirements related to the businessRegulations’ requirements concerning data security, such as PSD2, PCI DSS, HIPAA, GDPR, CCPA, should be taken into account as long as they are applicable to the organization. To some big enterprises, passing security standards such as ISO 27001 is also crucial.
Data Access Monitoring and RestrictionsWhat roles and privileges do users have, and who determines the data access?
Encryption ToolsWhich encryption tools will be used by your company, that best suit your business needs
Encryption AlgorithmThere are different algorithms for encrypting data, some of them – harder to decrypt than others. You can request information about the encryption algorithm used by your vendor and check if it meets the security standards you’re striving to cover.
Encryption Key Management SystemGenerating, storing, and replacing keys is crucial for protecting data. So is destroying encryption keys (i.e. crypto shredding).
Auditing logs, data, and documentsLogging events in a secure way, ensuring no one has tampered with your data and deleted the evidence (such as logs) after. Tracking irregularities and identifying unauthorized access is critical to be taken into account.
3. Establishing a Secure Key Management System (KMS)

As we already mentioned, generating, storing, replacing, and destroying encryption keys is as important as encryption itself. To ensure proper key management, you should take into account the following:

  • Encryption keys represent a security risk that should be addressed in your policies
  • Encryption keys should be stored in a secure location
  • This secure location should be separate from the one the data is stored
  • A backup key should be stored in a third, entirely different location as well
 
4. Applying Encryption Strategy
Scalability

Encryption must be scalable across all your network and systems, without compromising productivity.

It’s best to choose a sustainable solution protecting data in a growing environment such as clouds

We at LogSentinel offer an encryption layer, suitable for legacy systems, as well as clouds, encrypting all your critical data, minimizing productivity impact.

Implementing Multiple Encryption PracticesMultiple encryption practices guarantee an additional layer of security, ensuring data remains secure even in the event of a data breach.
Cloud IntegrationWhen interacting with cloud systems, you should determine what encryption will be applied to data stored in the cloud environment. You will also need to understand the impact of encryption upon the functionality of any application that uses infrastructure stored in the cloud.

Encryption and IT Compliance: When Are We Required to Have It?

Regulations such as GDPR, ISO 27001, PCI-DSS, CCPA, PSD2, HIPAA, HITECH, SOX, GLBA, require proper technical measures to be taken in order to minimize the risk of data breaches and protect sensitive information. Even when it’s not specifically stated as a requirement, encryption is often the best practice for securing sensitive data. 

Many of the standards and regulations follow NIST’s requirements for protecting data, which also covers encryption requirements.

The efforts in general to both regulators and standards are in a way to ensure high standards of applying technological measures when it comes to personal information. Encryption is one of the future-proof measures that will sustain in time, so that, every company should assess the sensitivity of their data, and start a process of applying appropriate technical measures if still hasn’t. 

Interested in protecting your sensitive data achieving regulatory compliance with no compromise? Talk to us today and find out how:

REQUEST DEMO