As encryption adoption increases, more challenges arise
Nothing worth having comes easy. But good things come to those who encrypt (and do a good job managing the keys).
According to our Global Encryption Trends Study, cloud adoption and escalating data security threats are accelerating encryption deployments. To be exact, the growth rate of companies with an encryption strategy reached the highest level in the past four years, with a total of 41 percent now reporting they have a consistent encryption strategy.
Of course, I’m glad to see that organizations are adopting encryption, but there are challenges they will face. Here are the top five “gotchas” we see when organizations start encrypting:
1. Not knowing where the sensitive data goes.
Our study states 59 percent of organizations say discovering where sensitive data resides in their organization is the biggest challenge. This is not surprising given the proliferation of data that is occurring with increased connectivity, more endpoint devices and increased use of the cloud. This is a hard-enough problem right now, but think about the compounding effect of IoT devices that are on the way. More “things” are connecting, bringing sensitive data with them. More on this next.
2. Encrypting in one place but not another.
For particular types of sensitive data, organizations may encrypt it in one storage location, but not another. As I just mentioned, sensitive data is increasingly moving beyond internal network boundaries to the cloud and to mobile devices, and with the IoT world there is a whole new source – and destination – for sensitive data. This is a gold mine for attackers, who like nothing more than to scour around for valuable targets once they breach an initial point of entry. Sophisticated attacks are designed to move laterally, looking for systems they can penetrate. Don’t implement a false sense of security; instead, choose to encrypt everything that’s important, wherever it goes.
3. No one owns key management.
Key management tends to live in silos in many organizations where, for example, your database team might implement one approach, and your file server team a different approach. The problem here is that different groups implementing encryption across different products and environments will inevitably lead to inconsistencies. Very few organizations have a group set up to oversee all encryption activities. This is where a centralized owner to key management comes in. Central key management enables implementation of a consistent enterprise policy for all aspects of encryption and key protection, and can help ensure that keys used for data encryption are rotated on time intervals in accordance with best practices for the chosen algorithms and key lengths, for example.
4. Limited expertise on how to manage keys.
To follow up on point No. 3, there are many key management offerings out there, but often the people in charge of deploying and operating them aren’t experienced with key management. As you may know, the information security field faces a shortage of trained and qualified personnel, and this is particularly true for matters related to encryption and key management. The workload placed on the qualified staff can put them in a position where they are challenged to manage the details necessary to ensure encryption is properly deployed, which in turn can increase the possibility of errors and mistakes.
5. Employee mistakes are the top threats, not hackers.
What was particularly interesting about the findings was that 54 percent of organizations rate employee mistakes as the most significant threat to sensitive data. That’s the same as hackers and malicious insiders combined. Surprised? Here’s an example. An attacker decides to target a specific company. He/she begins to monitor the activity of the CEO’s executive assistant, and finds out that the assistant is an avid cyclist and is participating in a bike race during the upcoming weekend. The following Monday, the hacker sends an email with a link that launches malicious code to the assistant titled, “Photos from this weekend’s race!” The assistant clicks on the email and the link, which is disguised as a simple file sharing link, and automatically installs the attacker’s program. The attacker is now ready to capture login credentials and keystrokes on the assistant’s computer. It only takes one person’s mistake to open the door to potentially significant attacks and social engineering like this one – and it’s becoming easier than ever.