The Future of Encryption – Written by Jon Fielding, Managing Director, Apricorn EMEA.
As relentless news of security breaches and data loss continue to steal the headlines, new legal frameworks and regulations are being introduced to set about defining data security best practices to avoid the risks associated with data breaches.
The introduction of the General Data Protection Regulation (GDPR), has meant organisations had to change the way they treat confidential data, with a focus on encryption, not only on portable equipment and storage devices, but on all data, be it unstructured data, or cloud and application data.
The GDPR Article 32 states that data encryption is a means to protect personal data and that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data.”
Additionally, Article 34 notes that if a breached organisation “has implemented appropriate technical and organisational protection measures such as encryption”, organisations can avoid the regulation’s breach notification requirement and the resultant administrative costs.
In some instances, a particular regulation will mandate encryption in clear, unmistakable terms; those that don’t adhere to these terms will be in violation of the law. Other times, regulations remain vague about requiring encryption, leaving murky waters for businesses to navigate, such as the GDPR. For example, a regulation may require that sensitive and/or personal data be protected without explicitly stipulating that it be protected via encryption, a less than ideal situation.
For times when the law confounds, security experts can provide clarity. A general consensus among experts regarding data protection protocols results in commonly accepted best practices. The term isn’t exclusive to regulations and encryption, but it can nonetheless help guide companies that encounter nebulous regulations. If there are questions about implementing encryption that aren’t spelled out in a particular law, following industry best practices will keep a business protected. Starting with carrying out an information audit to have visibility of exactly what types of data the organisation holds and processes, where it’s stored, where it flows and what existing security controls are applied to it. From there, companies can identify where it may be unprotected and/or at risk, and if they should also look to delete any, and all, data that is no longer required in the business.
Virtually every industry that deals with personal and/or sensitive data relies on encryption to protect that data. Those that don’t encrypt put themselves at risk for stiff government penalties, fines, lawsuits, and more.
What does it entail?
Put simply, encryption is a process of transforming data to make it unreadable without authorised access. Authorised access to encrypted data arrives via a decryption key. If implemented and managed correctly, the right people will possess the key and the wrong people will not.
When it comes to regulatory compliance, no universal standard for encrypting data exists in the financial space. Therefore, the individual regulations that govern how organisations handle data dictate the encryption requirements.
Encryption can happen in a variety of ways and situations. Software can often do the job, but hardware encryption is often seen as the more secure method. Certain hardware is designed to encrypt data without the need for separate software e.g. self-encrypting, and options exist for large hard drives as well as portable flash drives. USB devices offer a convenient way to transfer data between computers, and hardware encrypted USB devices can provide the necessary encryption capability embedded within the device, so data can be decrypted without the need for the user to install additional software. Web traffic can also be encrypted using SSL (Secure Socket Layer). Simply put, if desired, diligent users can keep their data encrypted wherever it goes.
In a recent survey conducted by Apricorn, two thirds (66%) of respondents noted that they now hardware-encrypt all information as standard – highlighting that organisations are making headway and recognising the importance of encryption as an necessary security tool to protect data now, and in the future.