Do you expect companies to encrypt your data? Then you may be surprised by just how many businesses ignore encryption altogether.
Why Companies Don’t Encrypt
From a consumer standpoint, it seems like an obvious business tactic. Encrypt the personal and sensitive information that you get from your customers and other related sources in order to protection. But companies are having a tough time getting the messages, and the number of security breaches due to poor, or no, encryption continues to rise.
Take health insurance companies Anthem, which held a database with personal information regarding 80 million people – which was inevitably hacked. Or what about Sterne Agee & Leach, which was fined by the Financial Industry Regulatory Authority where an unencrypted laptop was lost. A laptop containing the personal and financial information of clients. Healthworks, out of California, also had to deal with an unencrypted laptop theft putting clients at risk. This is a widespread problem, and it’s not getting any better.
So, why don’t companies take the simple step of decrypting? There are a couple probable reasons. Firstly – and particularly in the case of Anthem – they simply don’t have to, not according to current healthcare and business requirements. Secondly, adding encryption to databases and devices means extra expense for a company and extra time spent with IT.
Thirdly, even companies that are interested in security often ignore data encryption, in favor of other measures, including passcode locks. From the standpoint of Anthem and other companies, the attitude seems to be “that data is always going to be decrypted at some point (and so made vulnerable) so why encrypt it at all?”
The Crypto Bubble
The problem with not using encryption is that it pokes a lot of big holes in IT security that makes it easier to steal data. Sure, decryption may occur at end use scenarios, but that’s like saying “Well, the manager opens the safe at the end of every day, so we might as well just leave it unlocked.”
To give the benefit of the doubt, that comparison may be a bit unfair. After all, some databases aren’t set up well for encrypting sensitive data and letting less important information flow free. Companies with a hodge-podge of devices or BYOD strategies may not be in a position to implement great encryption. Full disk encryption may not be necessary for every company or every hard drive. But that doesn’t make it unimportant. On the contrary, the more companies that are targeted by hackers because of absent encryption, the more consumers will notice. There’s already a call to investigate which popular companies encrypt and which don’t.
Business Encryption Options
Companies must consider both mobile security and desktop encryption necessities into today’s wireless world. Common options for common organizational encryption include:
- HTTPS: This basic level of encryption uses SSL (secure socket layer) and TLS (transport layer security) as a sublayer in HTTP applications. It’s an easy way to pop web pages in and out of encryption when necessary.
- HSTS: This is a more advanced version of HTTPS called HTTP Strict Transport Security that uses a response header that automatically initiates HTTPS encryption, making it harder to foil HTTPS.
- Forward Secrecy: Forward secrecy uses sets of encryptions keys in such a way as to guarantee that keys used in the short time will not be compromised even in far-reaching long-term keys are compromised. Essentially, if a server is hacked web page information can still stay encrypted.
- STARTTLS: This method turns simple communications into traditional TLS or SSL to help more easily encrypt a variety of low-level data without too much effort.
Katrina is the resident how-to gal for rack solutions visit her video series on youtube called ask Katrina.