Why Is Encryption Important?
More and more companies get breached these days, undergoing huge financial and reputational losses. Over 5 billion records were compromised in 2019. The 2019 data breaches cost businesses over $2 trillion in total. The chance of a company becoming a data breach victim raised to 29% over the next two years. 43% of major data breach victims immediately go out of business.
29%
The chance of a company becoming a data breach victim over the next 2 years
> 5 bln
Amount of the records compromised in 2019
43%
Of major data breach victims immediately go out of business
Statistics don’t get any better in 2020. According to CRN, More than 3.2 million records were exposed in the 10 biggest data breaches in the first half of 2020, with eight of the top 10 breaches occurring at medical or health-care organizations. Breached records include sensitive data such as patient information, health records, payment data, etc.
Company | Number of Records Exposed | Reason |
| Tandem Diabetes Care | 140,781 | Unauthorized person gained access to an employee’s email account |
| Aveanna Healthcare | 166,077 | Suspicious activity relating to a number of employee email accounts |
| BST & Co., CPAs | 170,000 | A ransomware attack that encrypted files on its computer network |
| PIH Health | 199,548 | Employee email accounts had been accessed without authorization |
| Ambry Genetics | 232,772 | Unauthorized access to an employee’s email account |
| BJC HealthCare | 287,876 | Unauthorized person gained access to the employee email accounts |
| U.S. Marshals Service | 387,000 | A public-facing United States Marshals Service server was noticed to have been breached |
| Wichita State University | 440,968 | An unauthorized person gained access to a Wichita State University computer server |
| Elkhart Emergency Physicians | 550,000 | Confidential documents entrusted to Central Files had been improperly dumped in an unsecured South Bend-area location |
| Health Share Of Oregon | 654,362 | Personal information of its members was located on a laptop that was stolen |
According to the report, poor security measures lead to huge amounts of sensitive information exposed and accessed easily.
The pattern of breaching data has not changed for years. Getting access to data using employees’ email accounts still appears to be a top weakness for most organizations. Another reason for breaching data, is, of course, poor security measures on a server level. And this data only shows the vulnerabilities we know about. In many cases, companies don’t even realize they have been breached due to a lack of traceability measures taken for such events.
For this reason, it’s important for companies to encrypt their data. But not just encrypt everything – encrypt the data critical to the company – such as personally identifiable information, health records, payment data, confidential information, etc.
Encryption: Why it's not so simple?
“We already have encryption” means nothing
Bozhidar Bozhanov, CEO of LogSentinel
Encryption can be implemented in many different ways and on many different levels. Simply encrypting data at rest or data storage is not enough.
The use cases where encryption is ought to be implemented, are:
- Protecting sensitive data
- Protecting confidential communication
- Authentication
- Digital Signatures
Also, encrypting data only at one point does not make it secure at all levels. The types of data encryption are:
- Data At Rest
- Data in Transit
- Data in use
Therefore, if only data at rest is encrypted, it’s still exposed in use and in transit. To minimize the risk of data breaches, every single aspect of it should be considered.
Encryption Best Practices
Encrypting data is not a trivial task. It requires involvement in many teams and efforts. Furthermore, the more data the organization handles, the more it seems like a mission impossible.
Therefore, the data that is supposed to be encrypted by organizations should be “As much as possible, but no more”. We have separated the encryption best practices per organization roles, to make it more clear how the efforts put for protecting data should be distributed across teams:
Encryption Best Practices Per Organisation Role
| Developer | Sys Admin | Infosec Officer |
• Be able to encrypt sensitive data within the application • Use secrets manager via API • Discard and shred keys used in memory | • PKI and CA setup and support • Setup LUKS or similar wherever possible • Manage network policies for access to HSMs | • Introduce encryption policies • Make sure HSM (or IaaS KMS) policies are properly implemented • Cryptography training and knowledge sharing |
Encryption Best Practices: Action Plan & Encryption Policies
As we stated, the Information Security Officer should make sure that the data handled by the company is reviewed, and based on the findings, encryption policy is introduced.
To fulfill the encryption best practices, you need an action plan in place, covering the following 4 points:
1. Assess the Data to Encrypt
Information Security Officers are well aware that it seems impossible to encrypt all data, and therefore you should assess which data should be encrypted with priority – i.e. which data would harm the organization the most in cases of being lost or compromised.
Personal Identifiable Information (PII) and Personal Health Information (PHI) require data encryption in order to meet the regulations guarding personal data. Cardholder data, on the other hand, is required to be protected to meet payment security standards.
Even when data encryption is not exclusively mentioned, it happens to be the only appropriate security safeguard, and therefore taken into consideration.
2. Formulating a Security Strategy
A successful security strategy should take into account different internal and external security aspects, such as:
| Regulatory requirements related to the business | Regulations’ requirements concerning data security, such as PSD2, PCI DSS, HIPAA, GDPR, CCPA, should be taken into account as long as they are applicable to the organization. To some big enterprises, passing security standards such as ISO 27001 is also crucial. |
| Data Access Monitoring and Restrictions | What roles and privileges do users have, and who determines the data access? |
| Encryption Tools | Which encryption tools will be used by your company, that best suit your business needs |
| Encryption Algorithm | There are different algorithms for encrypting data, some of them – harder to decrypt than others. You can request information about the encryption algorithm used by your vendor and check if it meets the security standards you’re striving to cover. |
| Encryption Key Management System | Generating, storing, and replacing keys is crucial for protecting data. So is destroying encryption keys (i.e. crypto shredding). |
| Auditing logs, data, and documents | Logging events in a secure way, ensuring no one has tampered with your data and deleted the evidence (such as logs) after. Tracking irregularities and identifying unauthorized access is critical to be taken into account. |
3. Establishing a Secure Key Management System (KMS)
As we already mentioned, generating, storing, replacing, and destroying encryption keys is as important as encryption itself. To ensure proper key management, you should take into account the following:
- Encryption keys represent a security risk that should be addressed in your policies
- Encryption keys should be stored in a secure location
- This secure location should be separate from the one the data is stored
- A backup key should be stored in a third, entirely different location as well
4. Applying Encryption Strategy
| Scalability | Encryption must be scalable across all your network and systems, without compromising productivity. It’s best to choose a sustainable solution protecting data in a growing environment such as clouds We at LogSentinel offer an encryption layer, suitable for legacy systems, as well as clouds, encrypting all your critical data, minimizing productivity impact. |
| Implementing Multiple Encryption Practices | Multiple encryption practices guarantee an additional layer of security, ensuring data remains secure even in the event of a data breach. |
| Cloud Integration | When interacting with cloud systems, you should determine what encryption will be applied to data stored in the cloud environment. You will also need to understand the impact of encryption upon the functionality of any application that uses infrastructure stored in the cloud. |
Encryption and IT Compliance: When Are We Required to Have It?
Regulations such as GDPR, ISO 27001, PCI-DSS, CCPA, PSD2, HIPAA, HITECH, SOX, GLBA, require proper technical measures to be taken in order to minimize the risk of data breaches and protect sensitive information. Even when it’s not specifically stated as a requirement, encryption is often the best practice for securing sensitive data.
Many of the standards and regulations follow NIST’s requirements for protecting data, which also covers encryption requirements.
The efforts in general to both regulators and standards are in a way to ensure high standards of applying technological measures when it comes to personal information. Encryption is one of the future-proof measures that will sustain in time, so that, every company should assess the sensitivity of their data, and start a process of applying appropriate technical measures if still hasn’t.
Interested in protecting your sensitive data achieving regulatory compliance with no compromise? Talk to us today and find out how:
Denitsa Stefanova is a Senior IT Business Analyst with solid experience in Marketing and Data Analytics. She is involved in IT projects related to marketing and data analytics software improvements, as well as the development of effective methods for fraud and data breach prevention. Denitsa supports her IT-related experience by applying her skills into her everyday duties, including IT and quality auditing, detecting IT vulnerabilities, and GDPR-related gaps.
