Five tips for small businesses adopting encryption
The world of encryption is changing more than ever before. Today a lot of smaller businesses are looking at adding encryption for the first time, driven by recent regulations such as GDPR, and those that require encryption as part of the privacy enforcing mechanisms. However, along with the benefits that encryption offers, there are also challenges that these smaller businesses are faced with when looking to adopt.
Based on the experience and feedback that Becrypt has attained, I have summarized the top-five issues that small businesses with software should think about if they are looking at adopting disk encryption, or if they’re looking at undertaking wider roll-outs of disk encryption.
Ease of use
Organisations must look for products that are easy to use, easy and quick to install. These are obvious requirements that are partly about reducing the time and expertise required to install products in the first place. An important subsequent point is also total cost of ownership. If a product is not easy to install, it is usually a good indicator of a level of complexity that will remain as a long-term business overhead.
The more complex a product is, the more complexity there is to manage. This leads to higher levels of required expertise. It also increases the potential for support issues to occur over time. This drives up the product’s total cost of ownership for the organisation.
Encryption can be a business-critical management asset, as well as a business-enabling technology. It’s therefore important that you’re working with an organisation whether that’s a vendor or the vendor’s partner that can offer good, and accessible technical support.
Even if you’re choosing a product that’s easy to use, i.e. that’s going to reduce the amount of required technical support, you should still think about the potential for requiring support over the total life of the product. In a couple of years, you may be looking at doing something slightly differently, such as looking at encrypting new devices that may be non-standard (such as small business RAID servers). Therefore, you will want to ensure that you can pick up a phone and talk to someone with sufficient expertise.
The option of phone-based support is important; being able to jump onto a call in a reasonable amount of time and actually talk to an expert. Therefore, we’d certainly recommend testing this process with a vendor or the partner before you go ahead and procure.
Proof of encryption
It’s a good first step to encrypt business laptops, as organisations will always lose laptops. Encryption turns what would potentially be an information-loss, into just the loss of a physical asset. It protects the organisation’s information and addresses the organisation’s liabilities.
However, under regulation such as the General Data Protection Regulation (GDPR), there is often a requirement to prove that devices actually were encrypted in the event of a loss. This addresses some of the reporting requirements within these regulations. Proving that a device loss is not an information loss and avoiding the need to undertake breach notification, is something you want to be able to think about in advance.
If you’re deploying a product that includes centralised management, that functionality should already be there. But many small businesses will choose to deploy in a more stand-alone configuration. Deploying with a central management platform increases cost but also increases risk.
With standalone installs, you should still ensure that that product has a reporting capability of some kind, such as online. This allows the encryption status of your estate of devices to be reported.
In the first instance, you may be looking at deploying encryption within an estate of Windows devices. As technology changes and refreshes, it could be the case within a year or two that you have other requirements. You might need to manage encryption on Mac devices, or on smartphones and mobile devices within that same suite of products.
Therefore, it’s a good idea to look for vendors that have multi-platform offerings, helping to future-proof your technology choice. This will ensure that you’re not tied to a vendor, but at least ensuring that your existing vendor is an option as your requirements grow.
Using product certification and assurance schemes
It’s a good step to encrypt devices and be able to prove that you’ve encrypted them. However, there is an increasing regulatory requirement to demonstrate that you’ve gone through some process of ensuring that the technology you’re adopting represents best practice. For example, GDPR explicitly references ‘state-of-the-art’ technology.
To fully ensure that you’re managing liabilities, you need to evidence that you’re not just adopting technology, but that it’s appropriately ‘state-of-the-art’. Achieving this level of confidence can only be done by looking at technology that has third-party validation, normally through product assurance or certification. This provides independent validation that the product is of an appropriate quality.
There are a variety of common certification schemes relevant for encryption products. One of these is the US standard, Federal Information Processing Standard (FIPS), which ensures that algorithms have been correctly implemented. However, organisations must be wary of adopting technology just because it has a FIPS certification. The majority of products use the same algorithms, such as Advanced Encryption Standard (AES). FIPS ensures that a third-party has validated that the vendor has correctly implemented the algorithm. However, vendors can, and still do, implement products inappropriately which leave vulnerabilities.
A good example of such vulnerabilities in encryption products is within Solid State Drives (SSDs). Recent research from Radboud University in The Netherlands has highlighted vulnerabilities in not just one vendor, but a whole range of vendors’ SSDs. Vendors can take shortcuts, which means that resulting vulnerabilities can be discovered. In this case, researchers were able to bypass the encryption within SSDs.
Organisations are better off looking for certification schemes that are more comprehensive. One example is the Commercial Product Assurance (CPA) scheme, run by the UK National Cyber Security Centre (NCSC). CPA works alongside FIPS for validating algorithms, but it says more about the overall product quality and implementation, looking at the security architecture to make sure that it has been designed and implemented in a sensible way.
It also looks at the vendor coding and build standards, thereby reducing the risk of there being a vulnerability in the product. The risk is never fully mitigated, but it certainly goes down to a point that allows you to say that, as an organisation, you are adopting best practice.
The importance of due diligence when adopting encryption
Organisations, particularly SMEs, should consider these five key steps as they adopt encryption. Alongside security and liabilities, they also need to be concerned about the cost of being caught out by products with publicised vulnerabilities. Subsequently, they also need to think about the cost of then changing to a different solution.
Ultimately, adopting encryption is not rocket science. During their studies, the aforementioned researchers from Radboud University highlighted that implementing encryption well is not easy, and it is easy to make mistakes. However, most good vendors, or their partners, should be able to advise you on the above best practice steps to take.