Data Encryption

Encryption: choose the best!

Today, a lot of encryption solutions are available in the market. But understanding the differences among products is often a hard job due to the complexity of the encryption algorithms. Here some practical suggestions that can help you in choosing the right solution for you and your business.

After the Whatsapp decision at the end of 2015, to encrypt messages sent by its users, encryption has jumped to the forefront as a topic for discussion on social media.

Data encryption techniques, however, are not all the same, and understanding  the operation requires advanced knowledge of higher mathematics  and analytical concepts  that the average user rarely possesses. In an article published on Techbeacon.com last July, Luther Martin, software engineer of HPE, after a brief excursus in the fields of Economics, provides some useful tips to navigate the intricate world of data encryption

According to Martin, products that implement encryption are probably credence goods, that is goods whose properties cannot easily be checked, either before or after they are consumed. As well as many medicines are credence goods, because it is difficult to tell if your recovery was really due to the medication, a placebo effect, or even simply your body recovering on its own. It takes expensive and uncommon skills to verify that data is really being protected by the use of encryption, and most people cannot easily distinguish between very weak and very strong encryption. Even after you use encryption, you are never quite sure that it is protecting you.

Being a good in that you can just “believe”, is there a practical way to differentiate your offering and directing the choice towards those products that ensure more secure data protection and compliance in those areas where they are more restrictive?

There are many things to consider when selecting what type of encryption you should use and how to deploy it effectively to protect your sensitive data, but one criterion stands out as more important than all of the others: whether or not a given technology has been validated against the US government’s FIPS 140-2 standard (http://csrc.nist.gov/groups/STM/cmvp/standards.html). If you select encryption that meets this criterion, it will almost certainly be acceptable to your auditors, which is just as important as any other aspect of the technology.

(source http://techbeacon.com/software-engineers-guide-encryption-how-not-fail)

crittografia_dati

In base a recenti ricerche, circa il 90% dei data breach sono provocati da errore umano. E il costo medio per ogni record compromesso è salito ancora rispetto al 2015 raggiungendo i 158$, dice il Ponemon Institute.

Il 75% delle aziende dichiara di aver avuto almeno un problema legato alla sicurezza dei propri dati negli ultimi 5 anni, di cui il 25% problemi che hanno causato perdite economiche.

How Encryption can Help Your Business

The new GDPR will be effective in May 2018, stating new rules (and setting new and heavier penalties). Don’t look at it as a threat, but as an opportunity for improving your organization’s security!

The new European General Data Protection Regulation – effective in may 2018 – introduces important new features that will have a major impact on how organisations process personal data at their disposal (of employees, suppliers, customers) especially in the event of non-compliance. Here, we summarize briefly the main changes:

  • Data protection standards: companies will have to implement all technical and organisational measures to ensure proper protection of personal data they hold. In particular:encryption and secure pseudonymisation;

    resistance of systems and services that process data;

    with adequate measures to ensure availability and recovery of data access in the event of a data breach;

    frequent verification of the effectiveness of the measures put in place.

  • Need to notify any data breach: this notification shall be made to the data protection authority and, in the case of identity theft or fraud or other economic and social damage resulting from the data breach, to all interested parties. No notification is due, in the latter case, if the company can demonstrate that they have put in place appropriate security measures.
  • Penalties: If a company is not in compliance with obligations under GDPR, faces a penalty of up to 10 million of euros or equal to 2% of the global annual turnover. In the event of a data breach, the latter percentage can go up to 4%.

Now, a number of studies have pointed out that about 90% of successful data breaches are due to human errors. Let’s consider the case of Eastern Health, one of the largest health providers in Canada’s Newfoundland and Labrador provinces, 

In June 2015, Eastern Health announces that a flash drive containing the personal information of around 9,000 employees has been lost. There is nothing to suggest that the information on the USB drive will be used for a fraudulent purpose. Actually, Eastern Health is saying that they have no idea where this flashdrive is. It could be at the bottom of someone’s drawer or fell down a sewage drain, sure, but it could also have been dropped on a busy city street or left on a subway. You can’t account for who will pick up a drive that you have no clue how to locate.

Then, two months later, a very interesting development was announced . The flashdrive was found – in an office file cabinet. Eastern Health had it in their offices the entire time. A happy end, isn’t it? Yes, for sure, from the point of view of protecting the privacy of employees, but a happy ending which costs the organization, to conduct research and to check the damage, about 100,000 dollars that could be saved by adopting some basic preventive precautions and operating with less levity.

Another recent survey indicates that though 64 percent of respondents report having data sharing and usage policies, only 30 percent have Data Loss Prevention solutions in place. Yet, according to Corey Nachreiner, WatchGuard Security Strategy Director, five simple steps CIOs and IT managers could be taken to protect the organization’s critical data assets from both intetional and accidental data loss.

  • Do a Data Inventory – What sensitive data does your organization have? Where do you store this data? Why does the organization need this data? Who needs access to it? How do they use the data? You need to find out in order to protect it.
  • Create a Data Policy – Good information security always starts with a well-thought out policy. Even the best security technologies cannot replace good planning.
  • Leverage Access Control – You may already have many good tools to help, such as OS authentication, identity access management, firewalls, network ACL and other security controls. But, are you using them? The simple step of segmenting your trusted users from one another based on their roles can help.
  • Use Encryption – Encryption can be expensive, but for data at rest and in motion, it is vital for sensitive documents. However, you don’t have to encrypt everything. If you learn where your organization stores its most vital data, you can concentrate on just encrypting that.
  • Adopt DLP Technology – Vendors are offering cost-effective and easy-to-use solutions that can help organizations detect and block sensitive data at rest, in use and in motion. Consider Unified Threat Management (UTM) solutions that integrate DLP technology and allow it to be centrally managed through a single console. Gateway-based DLP technologies found on UTM devices can solve a big portion of the problem for a fraction of the cost and complexity of other solutions.

Information Security Made Simple

Simplify the way you secure your more valuable information: download the pdf edited by Cardware and find how you can be compliant with the new GDPR without any risk of heavy penalties!
o.

lock

Our Encryption Solutions

Spyrus PocketVault

“SPYRUS has a strong commitment to developing the strongest possible information security hardware products on the market today. Their products are standards-based, rigorously tested and designed with the need of the high-end security customer in mind.”

Paul Raines, author Global CISO CSO Magazine

cardwave-safetogo

Cardwave is a globally recognised expert in solid-state media and we make it easy for companies who need to understand and use this technology in their business. We are known for our professionalism and quality of service and we handle millions of dollars worth of business and commercially sensitive data for many high-profile brands.

Want to learn more?

You would like to use hardware encrypted USB devices but you're not so sure about which is the best solution for your requirements, are you? No worries, we can help!
Contact us

Anti-Malware Protection

USB peripherals can turn into dangerous vectors of malware (the so-called BadUSB), due to an inherent vulnerability of their architecture . USB manufacturers can deal with that issue implementing “secure-by-design” USB drives.

Read More

Windows To Go

A Windows To Go Live Drive allows your OS to boot and run from an USB flash drive or an external hard disk drive which have been certified by Microsoft as compatible, providing you with a fully manageable corporate Windows environment.

Read More

Supporto remoto

More and more sophisticated technologies and high-speed connections allow to gain access to and control machines thousand of miles far, in total security. Discover how a remote desktop software solution can improve your business.

Read More

Social Engineering

Did you know that 91% of successful data breaches started with a spear-phishing attack? Cyber-attacks are rapidly getting more sophisticated. An  adequate training can help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks.

Read More