How robust is your encryption strategy?

By Luke Brown, VP EMEA, WinMagic

Because of the potential value of the information in their IT systems, financial institutions are frequent targets for cyber criminals.  Once protected by brick walls and layers of steel, financial services firms are being targeted by criminals who no longer need dynamite and lock picks to steal from them.  In recent years, some of the biggest data breaches have involved financial service providers, from banks and payment processing companies to loan providers and credit reporting bureaus.

IT security teams are doing their best to protect themselves from cyber criminals – and a key part of their armoury is encryption.

Encryption is what keeps your personal and sensitive information secure, scrambling data to ensure hackers can’t misuse this information.  Almost as old as the Internet itself, encryption can severely hinder attackers in their goal to steal confidential user and customer data, trade secrets, and more.

Global Banking & Finance Jobs
Search Jobs
 

End-to-end encryption maximizes data protection regardless of whether the data is in a public or private cloud or on a device. It can be invaluable in the effort to combat advanced threats, protect against IoT-enabled breaches, and maintain regulatory compliance. But the wide variety of options for enterprise deployment can be intimidating, and companies haven’t been using it effectively.

Encryption is often seen by IT operations as a tick box exercise, with point solutions encrypting only segments of network infrastructure.  There is no encouragement from leadership to ensure there is a universal encryption policy over the entire network.  Without this overarching encryption solution with centralised key management, businesses are fundamentally undermining their cyber security strategy and leaving themselves vulnerable to a data breach.  Here are two key areas of danger:

  1. Your data is everywhere!

Mobile devices and inexpensive, easy-to-use, cloud file-sharing services make it easy to work anywhere and anytime.  Such access has become essential to operating in an always-connected world.  The net result is that your data can be anywhere.  Because companies have such a wide variety of infrastructure spanning everything from endpoints, data centres and cloud, encryption can be complicated to implement in modern environments..

Native encryption technologies are useful at one level, but they can still leave your devices vulnerable, and IT admin teams are left with lots of encryption keys to juggle which is a real headache.  Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data and a fragmentation of governance.  What is needed is an end-to-end data protection platform that works across all infrastructures.

  1. Beware the regulators! 

Rather like the never-end stream of news stories about Brexit, many of us have tuned out of reports about data breaches.  We know that they’re happening – day and day out – on networks when information is transferred or when devices are left unattended, lost or stolen and eventually fall into the wrong hands.  There are lots of ways to lose information and every one of them is potentially damaging to an enterprise.   With ever more stringent regulations, it’s easy for an organisation to fall foul of the requirements (often without knowing), leaving themselves exposed and non-compliant, and at risk of heavy fines.

Added to that, more and more regulations stipulate the need to not only protect data with encryption, but also protect the keys used to encrypt the data.  In fact, GDPR, MiFID II, PCI DSS and other breach notification laws state that businesses must document and implement procedures to protect keys used to secure data against disclosure.  At the end of the day, the value of encryption is only as good as the trust in your keys.

Plugging the gaps in your cyber defence

It’s easy to see how things can quickly get very complex, and why it’s important that organisations enforce encryption automatically through their security policy to help avoid disaster.  With boardroom enforced encryption platforms, businesses can rest easy knowing that data is protected across the network, and can’t be turned off by employees looking to optimise device performance, which is a real problem for both point encryption solutions and anti-virus products.

Encryption not only turns information or data into an unbreakable, unreadable code should someone unauthorised try to access it, but it is also often the only technology referenced in these evolving and escalating regulations as a reasonable and appropriate security measure.  Furthermore, centralising encryption management and ensuring keys are controlled from one point helps a company further enforce these regulatory and governance requirements.  Ultimately encryption is the last line of defence when a breach occurs, regardless of whatever action caused it, invader or accident.

In conclusion

If there is one absolute truth in business, it’s that data is now everywhere.  Big or small, companies wrestle with keeping data secure with an ever expanding mobile and agile workforce.   Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption, is the only way to minimise the risks of data loss and meet growing legislative requirements.