Antique key and book

In our Introduction to Encryption article, we laid out the basics of how encryption works to help protect your sensitive information from hackers. Encryption also provides better privacy and comfort for both you and users of your site or service, making it less likely for hackers to be able to snoop or steal their information.

More and more businesses are enlisting encryption experts to help them implement plans to encrypt data, internet connections, websites, and email—but is it the right strategy for you? Read on to learn more about encryption, when and where you should use it, and some things to consider when crafting your own encryption strategy.

Who’s using encryption?

The short answer? Everyone. You don’t have to be an organization with strict compliance requirements to need encryption, either. And it’s not only enterprise organizations that are successfully targeted—over half of hacks happen to small- to medium-sized businesses with fewer than 1,000 employees. There are things other than hacks presenting threats, too: things like government eavesdropping, contract workers handling sensitive info, third-party services, and intellectual property are all big motivators to use encryption.

Over the last 10 years, enterprise-wide use of encryption has jumped from 15 percent to 37 percent, according to a 2016 study conducted by the Ponemon Institute. Encryption can be enforced extensively throughout an organization, or be more narrowly deployed. Major encryption categories include:

  • Database, data storage centers, and big data repository encryption
  • Email encryption
  • Application-level encryption
  • Hard drive encryption (full disk encryption [FDE] or an intermediate disk encryption)
  • Encryption of financial transactions
  • Internet connections: secure sockets layer (SSL), transport layer security (TLS)
  • Public/private cloud encryption, and cloud gateway encryption

The types of industries using encryption vary, too. As would be expected, industries that have strict compliance and regulation—like finance and healthcare—are the biggest users of encryption. But its use is growing industry-wide, from retail and tech companies to manufacturers and the public sector. That’s because no one is immune to many of the mistakes that encryption can protect, like employee error.

Encrypting Data in the Cloud

Two main applications for encryption are public and private cloud encryption, or a hybrid cloud scenario. When businesses utilize a hybrid cloud structure for computing and storing data, they’re using a joined public and private cloud that has an encrypted connection to make data traveling between the two safe and secure.

But data that’s “at rest” in the cloud is more often than not encrypted, too. It’s possible for the cloud to scan your files, or for a third party to hack in and access them. That’s why many businesses that use the cloud turn to encryption services to make data unreadable when it’s synced with the cloud. Tools like Viivo, which is free for personal use but has a fee for commercial use, allow you to pre-encrypt data before it’s sent to a cloud server, so the cloud (and anyone accessing it) can’t see anything useful.

Some other tools include:

  • VeraCrypt
  • Dropbox allows encryption
  • BoxCryptor: This password-protected software is super easy to use and can encrypt files on the fly with AES-256. It’s compatible with Mac, Windows, iOS, and Android
  • nCrypted Cloud lets you encrypt files with a click before sending them off to the cloud, with a model based around companies that need to collaborate securely with freelancers, contractors, partners, etc.
  • Sookasa encrypts with AES-256 and SSL data transport
  • Cloudfogger

Note that with all of these tools, there’s a chance that an unencrypted version of the file may remain locally on a server or hard drive. That’s why it’s important to pair them with other encryption best practices, like FDE, to reduce the risk of vulnerability.

New Threats on the Horizon: What Are Quantum Attacks?

When it comes to encryption, many companies find an important consideration is current state vs. future potential. Essentially, data that’s safe via encryption now may not always be safe. As hacking evolves, older data that’s been encrypted in the past could be accessed by more powerful decryption software, and information you thought was safe might be exposed. Just because data or messages are old doesn’t mean they’re not still sensitive and able to be used for malicious purposes—something governments and national security organizations know all too well. The key is to not rest on your laurels and to keep an eye on new threats as they arise.

One that’s on security specialists’ radars—however far off it may actually be—is attacks by quantum computers. Quantum attacks are a looming cyber security threat because we know their potential, but they’re not quite “there yet.” Quantum computers are incredibly powerful—powerful enough to solve problems in a fraction of the time of traditional computers.

Here’s a peek at their potential: Take an encrypted message, for example. Depending on the length of the key, it might take an average computer years to cycle through the exponential possibilities to guess the key. For a quantum computer, that same task could take seconds.

The good news? Their application as hyper-fast hacking machines hasn’t quite been perfected yet. If hackers (or government organizations) can figure out a way to harness quantum computers for decryption, they’ll theoretically be capable of “crypto-cracking,” meaning the secure passwords, TLS and SSL connections, and encryption standards of today could be cracked in the future. It’s still a ways off, though, but something to keep in mind as encryption science evolves.

Many encryption algorithms aren’t currently quantum-proof, and while it’s not currently a viable threat, some organizations, like Google, are already working to create interim solutions, like new algorithms to secure browsers and ward off the quantum computing attacks of the future. Post-Quantum’s PQ Chat, for example, is a post-quantum hardened chat technology that lets companies future-proof their communication platforms.

Putting an Encryption Strategy in Place

Why would a business not use encryption? Some major challenges and concerns surrounding deployment of an encryption strategy include how it will affect overall system performance, difficulty deploying the technology, latency, scalability, key management, integration with other security technologies, and cloud support.

The performance issue can be a valid one. That’s because the more powerful the encryption is, the harder a computer has to work to do the math to decrypt the information. Encryption always has a cost, whether that’s network performance or financial, but the safety of your data and communications should override most concerns. It’s possible to strike a balance between the two, though. Find an encryption strategy that protects what it should but doesn’t put too much stress on your network operations and individual machines.

An encryption expert will be able to help you decide on the best tools to both suit your individual requirements (e.g., cloud or onsite) and mitigate your concerns. Also, you’ll need to decide what you want to (and perhaps what you’re required to) encrypt, how to classify this data, and where it resides on your system. You probably won’t need to encrypt everything, and having a strategy for this could help you save a lot of time and effort.

Things to consider when planning an encryption strategy:

  • What data am I looking to protect and why? HR-related employee data? Financial data? Customer data? Data regulated by compliance, like HIPAA?
  • Where is this data stored, and how is it transferred? Is it in the cloud or an on-site data center? Does it move by email, USB, or a service like Dropbox?
  • Who will need access to it, and where will they be accessing it from?
  • What’s your key management storage strategy? The most effective encryption strategy can be thwarted by bad key management, like storing an encryption key in the cloud or on the same server where the data resides. What type of key management system will you use (manual in a spreadsheet, or a dedicated server?) and who in your organization will own it?
  • How will you educate your employees on your new strategy to make it a success?
  • Does your encryption strategy need to integrate with other security systems?

These are all questions a skilled internet security expert can help you answer and make a plan for. Want an overview of IT security as a whole and where encryption fits into a broader security policy? Read our article Inside IT Security: How to Protect Your Network from Every Angle.

A few tips when you’re setting up your strategy:

For hard drives and self-encrypting devices (SEDs)…

The Opal Storage Specification is a popular security measure used by companies like Intel, SanDisk, and Samsung. It prevents unauthorized access to data on a device. Hardware itself should be Opal-compliant, and should be able to support Opal. Some older laptops and desktop computers don’t support Opal, so make sure yours do.

For internet connections…

Implement an HTTPS encryption strategy for your site. This is a relatively simple thing to do and should be standard if you’re serious about giving customers secure connections and safeguarding their information. You just need some engineering resources and to make plans for how it will integrate with any providers, like ad networks. Consider making it your default protocol—and make sure it’s everywhere, not just your homepage.

HTTPS Everywhere is a browser extension that overrides your connection to automatically connect you to a secure version of the site you’re visiting.

If you utilize a public cloud, private cloud, or hybrid cloud…

Invest in pre-encryption software to encrypt data before it’s even synced with the cloud, so the cloud can’t read your data, and neither can anyone breaking into it.

If you use messaging platforms or collaboration tools to share important information or documents…

Use end-to-end encryption for any communication or messaging, with software like Wickr or Signal.

“Perfect forward secrecy” is a way to protect all past communications, so if a key falls into the wrong hands down the line, it won’t allow unauthorized users to use it on past communications because keys are generated on a per-session basis. It’s available in OpenSSL and TLS protocols, and is used by communication platforms like WhatsApp and Signal.

If you haven’t already, you’re probably thinking about enlisting the help of an encryption expert to assess the safety of your data. There are IT security freelancers on Upwork with expertise in encryption who are able to consult with you on an encryption strategy that will work for you and your data.

Read more: