Two experts from security firms explain the basics of why your business needs a security and encryption policy.
The debate about encryption has shifted back to the realm of law enforcement, in the wake of last week's attack in Paris. Though the attackers use of encryption is still being evaluated, public officials and law enforcement agencies have expressed renewed concerns about private communication applications.
It's easy to understand why policy makers and the police believe encryption hampers their work. While PGP and proper encryption can be a kludgy process, new applications like Telegram, Wickr, and Cyber Dust make discreet messaging and encryption accessible to a market of mobile consumers and criminals.
However, encryption is also a critical tool for business. Though the debate about encryption can be confusing, a recent report by ZDNet found that encryption is now used by one in three small and mid-size business, and that security now consumes nearly 15% of IT budgets.
I asked two security experts the key factors to consider when determining an encryption policy for your organization.
Why should business be concerned with encryption?
John Gunn, vice president at VASCO Data Security: "This is akin to asking why you should care about locks on your doors. Not everybody who wants access to your information has good intentions."
Travis Smith, security analyst at cyber threat protection firm Tripwire: "From a public standpoint, privacy is the main concern in the fight over encryption. In America, we enjoy many freedoms, including freedom of speech but more oppressive regions of the world free speech is not available. If we cripple encryption mechanisms (eg, manufacturers providing the government 'keys' to access information), we would live in a world where there are no secrets and effectively no privacy."
What should you look for in good, secure communication tools?
Gunn: "First and foremost, [tools] have to be easy to use for both the sender and the recipient, or they just aren't practical for everyday use by the average consumer."
Smith: "The first component I look for in any tool housing sensitive information is end-to-end encryption. This simply means that the data is encrypted on the sender's device, and decrypted on the receiver's device. This approach significantly reduces the likelihood that any party between the sender and receiver can read the communications. The second critical feature of encrypted tools is the use of up-to-date encryption standards, such as AES-256. Using an encryption mechanism with known vulnerabilities is almost as bad as no encryption at all."
Both Gunn and Smith mentioned that with major messaging apps in particular, make sure to read the documentation and fine print. Double check that the apps do not leave data caches stored locally or in the cloud. Verify that your private data won't be used for marketing purposes.
What are the warning signs of poorly encrypted apps?
Gunn: "The average user has absolutely no means to measure the effectiveness of an encryption application."
What is a sensible personal policy for privacy?
Gunn: "The answer is a moving target influenced by two factors - the prevailing level of fear at that moment in time, and how much people trust their government to act responsibly with unconstrained access to all of their communications."