Encryption
Written by: Madhu Maganti, CPA, CISA
The need for encryption is at an all-time high with an increasing number of organizations and consumers falling victim to a whole host of cybercrimes. The cyber criminals never rest, and this means that organizations need to be vigilant as well as ensure the implementation of tough security measures.
You will find encryption in most things that run using an internet connection, from messaging apps and personal banking apps to websites and online payment methods.
And for consumers, making sure your data cannot be stolen or used for ransom has never been more important.
What is encryption?
Encryption prevents unauthorized access to your data, from emails to chat messages and bank details, by keeping communication secure between the parties involved.
This is done by ‘scrambling’ the information sent from one person to another into a lengthy code making it unreadable for anybody else attempting to access it.
When the data is encrypted, the sender and the receiver are the only people that can decrypt the scrambled info back to a readable condition. This is achieved via ‘keys’, which grant only the users involved access to modify the data to make it unreadable and then readable again.
Put more simply, imagine encryption to be like translating your information into a language only you and your recipient know, and more importantly which a cybercriminal can’t translate.
Why is encryption important?
The purpose of file and disk encryption is to protect data stored on a computer or network storage system. All organizations, including small and midsize businesses (SMBs), that collect personally identifiable information (PII) like names, birthdates, Social Security numbers and financial information must secure that information. An organization can be sued if a computer containing PII is stolen and the information is leaked or shared.
If a laptop is lost or stolen and the files or disk aren’t encrypted, a thief can easily steal the information, so it’s a good practice to encrypt your sensitive data, if not your entire hard drive. The thief doesn’t even need to know the sign-on password to access the files – it’s easy to boot a computer from a USB thumb drive and then access the disks within the computer.
Disk encryption doesn’t protect a computer entirely. A hacker can still access the computer over an insecure network connection, or a user can click a malicious link in an email and infect the computer with malware that steals usernames and passwords. Those types of attacks require additional security controls, like anti-malware software, firewalls and awareness training. However, encrypting a computer’s files or the entire disk greatly reduces the risk of data theft.
How does encryption work?
In the online world, encryption disguises data rearranging the data bits so that nobody can read or see the information without the secret key, this key can consist of a password or a digital file, aka keyfile, encryption secures plain text as well as any other digital media like photos, videos or software, you can also encrypt a whole operating system and a partition.
To secure data, encryption uses mathematic functions known as cryptography algorithms, aka ciphers, some example of well-known and trusted cryptography algorithms are AES, Blowfish, Twofish and Serpent, these ciphers can be subcategorized with a number indicating its strength in bits.
An encryption algorithm key length indicates its size measured in bits, the length indicating the algorithm strength in bits will always be even (bit is binary unit composed of zeros and ones), these keys are used to control the operation of a cipher.
The more mathematical strength the encryption algorithm has the more difficult it will be to crack it without access to the key but a strong cipher normally requires more computational power, a few seconds of wait might not matter much to the home user but for businesses dealing with thousands of calculations each hour to decrypt/encrypt data in their servers it will mean that more money has to be spent in hardware and electricity.
Advantages of encryption
Maintains Integrity
Hackers don’t just steal information, they also can benefit from altering data to commit fraud. While it is possible for highly skilled and technical individuals to alter encrypted data, recipients of the data will be able to detect the corruption, allowing for a quick response to the cyber-attack.
Secure Data At All Times
Encryption works when data is stored or transferred, making it an ideal solution no matter how data is being used. Usually, data is most vulnerable to attack when being moved from one place to another, therefore encryption ensures protection during this process.
Protects Privacy
Encryption is used to protect sensitive data, including personal information for individuals. Encryption therefore ensures anonymity and privacy, reducing opportunities for surveillance by both criminals and government agencies. Encryption technology is so effective that some governments are attempting to put limits on the effectiveness of encryption.
Protection Across Multiple Devices
Mobile devices are a big part of our lives, and we often own several. As technology develops, more and more of these devices are joining the Internet of Things (IoT) phenomenon. Encryption technology can help protect data and sensitive information across all devices, whether being stored or even during transfer.
Part of Compliance
Many industries and organizations have strict compliance requirements to help protect the data of their company and their customers or clients. ABIP assists clients with regulatory compliance assessments such as HIPAA, GDPR, CCPA, NYDFS 500, etc. and we opine on the strength of the existing encryption processes as well as provide recommendations based on benchmark practices.
Encryption security tips
- Always choose an encryption program that uses a standard cipher that has been scrutinized by experts, e.g. AES
- Do not use dictionary words as your password, use a long passphrase made up of capital and small letters with punctuation signs and numbers
- Do not use the passphrase you use to encrypt your data for anything else like your webmail password or an online forum which security can be compromised
- Never trust a third-party service to store your encryption keys or carry out the encryption implementation, if you store data online encrypt it yourself in your computer
- Watch out for keyloggers and malware in your computer that could capture your keystrokes and your secret passphrase, use an updated antivirus and firewall
- Never reveal your password to anyone, not even to an IT support desk