Encryption has been in the news a lot recently. Services like WhatsApp and Apple have been questioned by governments amid suspicions of hiding terrorist communications inside their networks. The FBI even tried to force Apple to decrypt a phone through legislation to expose user data.
Is encryption good, or bad? What exactly is it? How might it benefit your organisation when planning how best to protect your own data against attack?
In a world of increasing cyber threat, this powerful tool can go a long way to keep your network safe, so this month we celebrate our 2nd birthday on the Blog by attempting to de-myth this ancient technology.
What is encryption?
Alan Turing spent most of his adult life trying to “hack” encryption devices. In fact, cryptography – the art of sending secret messages – has been found in tombs of Egyptian Kings as early as 1900 BC.
The basic concept of scrambling messages – or data – using a code is nothing new. Step 1: create your message. Step 2: devise a scheme with which to change the characters into something random. Step 3: send your message. Step 4: disclose your scheme to intended recipients to allow them to unscramble it.
The weakness is of course the scheme or pattern you use to scramble – encrypt – your messages. A simple code could be guessed by anyone intercepting your messages through a process of elimination. A more complex encryption scheme – an algorithm – takes longer to unscramble, but is also more secure. Sometimes even the most complex codes are broken, as Turing and his team demonstrated over months of extremely laborious trial and error techniques or, more recently, in the WPA2 Wi-Fi hack which gave anyone the keys to private wireless networks secured using a very popular type of encryption.
Like many risks, you can never be 100% immune. But implementing even a basic layer of encryption on your network, files and/or computers or other devices will protect you against the majority of criminals who may take a sniff around your data when you’re not looking.
How can my organisation use encryption to protect us?
As a starting point we will explore three common types of encryption. We could employ one, two or all of these techniques on your network with relative ease and, for charities especially, minimal software costs.
- File Level Encryption
Every organisation shares files between people. Word, Excel, Email – files are transmitted from one person to the next; sometimes via a shared drive, sometimes sent direct. Without encryption, if these communications are intercepted, their contents are disclosed with ease.
File Level Encryption addresses this risk by scrambling the contents of the file upon being sent, or in situ. Others wishing to access these files need to first obtain the code to unscramble the file; this is known as a Key. Who you give these keys to is in your control, and whilst those without a key may still be able to access the files themselves, the information inside them would be useless.
There are lots of software applications that can offer this, and in fact this basic layer of protection is included in Windows, which is great if you need to send a really sensitive document ad-hoc. The drawback is that if you lose the key – or don’t have one in the first place – you can’t get to the files either. This same technique is the basic principle used in Ransomware attacks; see our Ransomware guide for more info.
- Whole Disk Encryption
This is a step up from encrypting just your files, to locking out your whole computer hard drive. The main benefit here is for portable devices like laptops and tablets – devices that can easily fall into the wrong hands. The entire disk is encrypted meaning you cannot even get to a logon screen let alone any files, without first entering your unique key to start the machine.
If your staff travel regularly with their laptops or tablets, it’s both sensible and relatively straightforward to implement Whole Disk Encryption on some or all of your computers. As with File Encryption, this feature is included in the Professional version of Windows, which all charities can obtain for very little cost via the TT Exchange charity software donation scheme.
Rolling out this level of protection is highly recommended, but also needs to be planned carefully. Your staff may take time adjusting to the need to enter another password as soon as they turn on their computer. And maintaining the keys to unlock machines should the user forget their credentials is equally important. We can help you draw up a strategy based on our expertise in this area built over many years.
- Network Layer Encryption
Securing your files, and the computers that access these files, will go a long way to mitigating the risk of data loss through accidental or malicious means. For those who handle extremely sensitive data, or operate in a dangerous or oppressive environment, you may also need to encrypt the communication channels used to transmit and receive this information.
The best example of a widely available yet completely encrypted network is the Dark Web. This network is free and easily accessed by anyone, and renders you totally invisible as you send and receive information online by encrypting all the traffic your computer generates. By its nature, this means websites that should never see the light of day can thrive. However, this same network allows bloggers who live where the internet is censored – for example in China – can express themselves and access foreign news channels.
At a more local level, there are various encryption tools available; the simplest of which is implementing HTTPS across the organisation, as a means for your computers to talk to one another securely. We can advise if you feel this is something that should be explored further based on the type of information you process.
Encryption sounds like a scary and complicated word, but it is a very powerful data protection tool. If implemented correctly, it can be virtually invisible to you team members, yet offer a strong layer of security to stop your data falling into the wrong hands.
Like any change it should be planned properly, but the best bit is that a lot of encryption tools are already included in the Microsoft products you probably already use, and for any features that aren’t, they are available for charities at a very low cost.
Have a look at our Ethical IT Knowledgebase for further guides and support on IT Security, Cloud and many other topics, all available totally free.