3 minute read
Data encryption – benefits and risks in business
by AICM
Daniel Hains Director, Forensic Technology Vincents
Understanding data – modern
Businesses operating in modern IT environments typically store vast quantities of unstructured and structured databases comprised not only of their own files and records, but those of their clients, employees, referrers and marketing contacts. The data can be located almost anywhere, including in the cloud, and often is for information which is no longer required and dating back decades.
Recent breaches of Australian organisations, which have occurred on an enterprise level (Medibank, Optus, Woolworths, even the AFP), have upset markets and caused large-scale disruption to individuals and other businesses alike.
In almost all cases of incidents where organisations are subject to a data breach (or ‘hack’), this is not due to “007-style” sophisticated coding techniques enacted by skivvy-wearing spies parked in a van outside headquarters.
Modern day hacking is simply inducing normal people to hand over their passwords so that their intellectual property can be stolen – this is often referred to as ‘social engineering’.
When a hacker is allowed into the victim’s IT network, they usually either: z Inject code to encrypt the computer/IT network and then sell the decryption key to the victim, or z Steal anything of value and sell it to the highest bidder (usually back to the victim themselves).
What is encryption?
Encryption is the process of encoding a message or information in such a way that only authorised parties can access it by using an encryption key. The concept being that encryption protects your information, because it becomes impossible to ‘unlock’ it without the decryption key.
The encryption process takes the information (called plaintext) and by using an algorithm, transforms the information into a ‘cipher’. This makes the content unintelligible to anyone without the key, but the data can still be easily stored and transmitted publicly.
Therefore, your data is protected by the encryption and safeguards it against potential threats. While in principle it could be possible to decrypt the message without possessing the key, for a well-designed encryption scheme this can only be achieved by applying massive computational resources, technical skills and not to mention, a near immortal lifespan.
Many organisations are now storing data under encryption algorithms which are provided increasingly by standard operating systems (Windows Bitlocker, Apple FileVault) and popular document management systems (Sharepoint, Docuware, OnlyOffice etc).
Benefits of encryption
Encryption creates a major obstacle for investigators, hackers or anyone wanting to access files without authority, even employees wishing to remove files for their own use. For example, SharePoint has a feature which allows files to be accessed or exported from the system. Those files, however, remain encrypted unless they are being viewed on a device which has the necessary certificates installed.
The benefit of encrypted data is that the data is impossible to access without authority from users. Even if an organisation has been breached and files removed, when properly implemented, the content of the encrypted files is protected and inaccessible.
This benefit extends itself to the Australian Privacy Legislation for Notifiable Breaches, where an organisation must notify individuals of a data breach when it is likely to result in serious harm to the individual whose information was compromised.
With encrypted data, however, if an organisation has suffered a data breach, there may be no harm to individuals because any personally identifiable information was protected. Therefore, benefiting the organisation as this assurance reduces both cost and damages by a significant amount.
More information from the Office of the Australian Information Commissioner is available here.
Risks of encryption
While encryption can provide definite benefits to an organisation, it is important to be aware of the risks.
Lost encryption keys: The benefit of encryption is also the principal risk. That is, without the password decryption key, files are completely unrecoverable. Any recovery solution reverts to the requirements for an extremely powerful computer and the time needed to try to ‘break in’. This means ensuring the encryption key is not lost is crucial.
Data deletion: Systems are normally designed with redundancies, such as a backup of the data and a separate backup of the encryption keys. However, if segregation of duties is not maintained, it may be possible for a malicious employee to destroy the primary data, backups and encryption keys all at once.
Applications and document management systems endeavour overcome this risk through use of secure certificates and hidden keys.
Increased load on systems: Older systems may struggle with the increased processing demands of encrypted data and this means the potential for lost files.
Loss/disclosure of data in transit: Although a more remote risk, with the use of cloud storage, the network and server infrastructure are not under your control and there is therefore a risk of data interception. While many applications use Transport Layer Security (TLS) to encrypt traffic, there are many other communications that cannot use TLS.
In conclusion, although the use of encryption does not guarantee that your data is impossible to infiltrate, it is a recommended safety mechanism. If your business considers how they can minimise the possible risks involved prior to implementation, it significantly reduces the likelihood of your data being accessed by malicious persons.
Daniel Hains Director, Forensic Technology Vincents
