Encryption failure warnings from ICO - sign of worrying lack of cyber-security knowledge

By Dr. Guy Bunker. 

The recent article in V3 warns of an apparent lack of knowledge about encryption technologies, which is causing many companies to mishandle sensitive data. Businesses have been criticised by the ICO for failing to failing to adequately protect sensitive information and apparently the cause attributed to this is a general lack of knowledge about encryption technologies. In other words, cyber-security ignorance is to blame for internal cyber threats in many cases.

There are many misconceptions about both the importance of encryption as well as the way in which encryption works. As Simon Rice, ICO group manager of technology, points out: “A common misconception is that just requiring users to login to a device, or service, with a username and password provides an equivalent level of protection to encryption. This isn’t the case. A password or PIN to control access to a device isn’t encryption and it isn’t enough to protect against unauthorised or unlawful access. In practice a password can be easily circumvented and full access to the data can be achieved.”

Perhaps most importantly, the issue of instilling an ethos based on using encryption tools within a company is multifaceted; it’s the employers’ obligation to both their customers, whose data it holds under confidentiality agreements, and their employees, whose personal and sensitive data is legally bound to be protected. Using encryption tools effectively requires ease of implementation from the encryption provider to reduce resource intensity and an understanding of both how and why they work. For example, when encrypting data, businesses must also consider how to safely store the encryption key, normally via a managed public key infrastructure (PKI). Just as a home-owner has a legal responsibility (as far as insurance is concerned, for example) to safeguard the key to the front door, businesses have a legal responsibility to safeguard its data as well as the implementation of its security tools. With this in mind, it’s not just the damaging consequences of the data breaches that companies are held to account for, but the financial penalties they face; in the three recent cases where encryption wasn't used, companies were hit with fines of £700,000 in total.

The cost of ignorance is evidently high, so it’s paramount that companies not only familiarise themselves with the encryption tools available, but educate their employees on the principals (and benefits) of cyber-security consciousness. As I’ve mentioned before, relying on the strength of technology is not good enough when the risk of human error is not accounted for. If the strategy implemented for cyber-security protection relies on the input from the end user, then there still remains a huge risk of human error, regardless of the company’s technical understanding of encryption tools. Written policy is not enough. Content aware encryption solutions offer the benefits of automation and the consistent application of policy without the need for human intervention. 

Communicating Information Outside the Organization

While there is some information which is kept within the organization, there is also a great deal which needs to be communicated outside. The usual mechanism for this is through email. When it comes to sensitive information and email, then only by combining email encryption and a DLP solution can companies safely rely on the technology to securely communicate sensitive data. The Data Loss Prevention (DLP) solution is a key component in keeping sensitive information inside an organisation, but in this case it is about how the information can be securely communicated outside, and that is where encryption comes in.

Whereas the traditional DLP will stop and block communication which breaks policy, an integrated encryption solution gives the option to automatically encrypt the sensitive information. When it comes to encryption, there are several ways in which it can be applied – from the underlying transport (TLS) through to PGP and S/MIME and then to ad hoc ‘zip’ files (Read more in our encryption whitepapers). The combined email and encryption solution uses Deep Content Inspection (DCI) to ‘understand’ the context in which the encryption is needed and so can apply the appropriate encryption mechanism automatically. Today there is another option, Adaptive Redaction, which can also be used with email. This automatically removes sensitive information based on policy before sending it out. From a government department perspective this is seen as an excellent alternative (or addition) to using encryption alone as it ensures ease of sharing information along with the assurance that only appropriate information is shared – anything which was deemed inappropriate by the policy would have been automatically removed (redacted).

Adaptive Redaction is not only about removing key ‘visible’ information, but also invisible data such as metadata, revision history and any active-content. What is removed and when will depend upon the company’s policies and the recipient – hence 'adaptive'.

In order for encryption to have an impact, there needs to be an understanding by organisations of the various options available and how it can be applied. Encryption needs to be enforced in multiple places, a multifaceted implementation, across the business protecting the data wherever it is found and however it is communicated. While this used to be a daunting prospect, especially for SMEs, the next generation of solutions makes it simple to roll out and manage in a cost effective way.