With the General Data Protection Regulation (GDPR) deadline less than 6 months away, encryption is a key technology that will enable organizations to comply with the regulations and avoid heavy financial penalties. With the increasing number of data breaches, an encryption policy that spans a wide range of applications and purposes will go a long way to safeguarding organizations’ data and that of its stakeholders.
Planning encryption key management
When considering encryption, businesses must first understand what data they produce and which data is most valuable or sensitive, through conducting a data sweep. Only by understanding what data they have can businesses then seek to encrypt and protect it.
The key to businesses maintaining control over their encrypted data in an ever-more hybrid environment is thoroughly planning encryption key management strategies.
Encryption keys are essential to unlock secured data and provide fundamental control over who has access to certain data – making companies, and more importantly customers, the custodians of their own data. The best approach is to store encryption keys in specially designed hardware, to avoid them from being hacked. Otherwise, it is like fitting your house with the best security out there and then leaving your key under the doormat for the burglar to find.
Businesses are not just risking a financial hit if they do not implement and manage the protection of their data properly, but a reputational one too. Consumers believe the majority of responsibility lies with the business to protect their data and will blame them if something goes wrong. Companies need to take note of this because if something does go wrong, customers are likely to go elsewhere. To keep costumers’ loyalty, companies must show they are actively working to protect their customer data using techniques like encryption.
Encryption itself is very effective, but if you do not protect it and the encryption keys that unlock it, then it can easily be cracked by unauthorized individuals. To protect against this, businesses should also focus on who is authorized to access valuable and sensitive data.
The best approach is to use two-factor authentication, which requires the employee to have something like a phone or access to an email address and to know a code or password that is constantly changing, rather than just a code or password that can be guessed. These types of security are readily available but need to be more widely adopted by businesses.
Company boards should take a considered approach to security. It is not a question of the Chief Information Security Officer (CISO) saying no all the time, but rather implementing security protocols early so that it does not affect innovation and ensures the company adheres to the latest regulations.
Furthermore, by establishing a security mindset at the top of the company, it will filter down to the rest of the employees. Every business should know that its defence is only as secure as its weakest link.