Data Encryption and Cybersecurity

Current and ex-intel officials' suggestions that Islamic State militants used encrypted communications to plot the Paris attacks are adding urgency and import to the ongoing crypto debate. While it's still unknown what methods the attackers used to coordinate the strikes that killed 129 people on Friday, US law enforcement officials have long argued that the growing use of encryption hinders efforts to track terror suspects. In fact, the FBI has pointed to the IS threat as a chief reason why the so-called "going dark" problem is pressing.

Earlier this year, an elite group of security technologists concluded that the American and British governments cannot demand special access to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger.

The group, made up of 14 of the world’s pre-eminent cryptographers and computer scientists, was a formidable salvo in a skirmish between intelligence and law enforcement leaders, and technologists and privacy advocates. After Edward J. Snowden’s revelations encryption has emerged as a major issue in the debate over privacy rights and cybersecurity.

At a time when organizations are continuing to place a high priority on improving their cybersecurity frameworks, many companies still lack the policies for information security, data encryption and data classification. Most corporations and consumers are relying on outdated security solutions that were believed to be sufficient just a few years ago. We now live in a mobile-first world where data about everything and anything we do online is captured, analyzed and used to help deliver a more personalized experience. The organizations that capture the data have an ever growing responsibility to prevent misuse of the data and the consumers have an every growing concern regarding the security of that data.

Traditional security measures tend to focus on defensive technologies that are reactive in nature, such as a corporate firewall or more commonly understood anti-virus software. With the rapidly increasing number of connected devices and the vast amount of data created by these devices, a new way of thinking about data security is required. Ways that build upon the traditional solutions that act as the first line of defense but also focus on protecting the corporate and consumer data in the event that the first line of defense fails. This is generally accepted by most security professionals as the most responsible approach and best practices for computer security. Encrypting all data through the entire life cycle of the data has the highest potential of preventing data breaches – if all data is encrypted, then hackers and thieves that gain access to the data are not able to make sense of the data – simply put, the motivation goes away.

Data encryption has been used selectively for many years; however, its wide use has been limited by the complexity of traditional encryption technologies or by the additional processing power and increased processing time required by these solutions. Most security professionals understand the need for encryption but have had to choose between flexibility and good security – security was often a lower priority until recently. Technologies like Layered security is the best approach to prevent cyber security and data breaches, but traditional defensive solutions are no longer sufficient, full lifecycle data encryption is necessary.  Organizations interested in truly protecting their data would be wise to adopt an “encrypt everything” policy and supporting solutions now.

In summary, today’s business leaders should understand that some of the most valuable assets in their organization are customer data and proprietary information. Establishing protocols to limit and restrict access is at the heart of information confidentiality. Organizations need to extend their data protection policies to focus on securing the data wherever it is stored!

_________________________________________

Faisal Amin is a Director at The Berkeley Research Group and his practice areas focus on Strategy, Benchmarking, Higher Education and Technology Advisory Services.  His recent research activities have focused on various aspects of cybersecurity including innovation, education, workforce development, information sharing and corporate culture.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.