Encryption Just Isn't Enough: Critical Truths About Data Security
Data security is facing more challenges than ever before.
The high-techworld uses a centuries-old tradition to protect your information. It encodes, or encrypts, your data. That encryption is why you see "HTTPS" with a green padlock in the URL bar. Notice the “s” at the end. It means "secure hypertext transfer protocol", telling you the data on this website is encrypted to ensure its security.
In other words, you're told you can transmit confidential personal, financial or health data if needed, without fearing hackers will intercept and read your information.
What relatively few people know is that this “security” of the website is relative. There’s still a way for malicious actors to breach the toughest of encryption. And these cyber-thieves know it.
Here’s how they slither their way in.
Encryption is simply the IT security method that’s used to flip your plain-text messages into ciphertext, so that interceptor can’t understand them.
Google gives me an option to encrypt confidential emails into ciphertext. Anyone hacking that Gmail will see only a batch of random letters, digits and symbols. It’ll be unintelligible to them. If you’re the recipient, Google gives you a public and private key to decipher it, so you’ll get my message. The public key is like the business address on the web. Anyone can see it. Google uses that public key to encrypt my message. At the same time as you get my email, you're given a corresponding private key that works with the public key to decrypt my message. (Read also: Encryption vs Decryption: What's the Difference?)
What’s this key?
Simply a bunch of other digits that when “slotted” into the message dredge up the real meaning.
There are two common types of encryption
The encrypted data is sent to the server, where it is decrypted before being passed on to the recipient. As long as the content is in transit, it’s encrypted. The moment the data is at-rest it is decrypted. Any savvy hacker could intercept the data at that point.
2. End-to-end encryption
End-to-end encryption is more secure than encryption-in-transit. The data retains its encryption all the way - even on the server. It’s so thoroughly secure that even the service sending the data can’t read it. Top-security products such as Signal, Telegram, Viber and Facebook Messenger's "Secret Conversations" all carry this end-to-end protection. It simply means that they've encrypted the system from beginning to end, so you can thoroughly trust it. No hacker - they say - can penetrate it, since it’s locked-box secure.
Is Encryption Secure?
Yes. It would take several years for hackers to penetrate sites locked with 256-bit AES encryption.
The problem is, hackers can get in at either end of the transmission. It’s a huge security concern, as seen from the fact that according to the HIPAA Journal, almost ten million healthcare records were compromised in September 2020 alone through 83 breaches.
Here's How Hackers Slip In
You give them entry
The most dangerous threat to corporate security are insiders, usually from your own company. And Forrester finds these threats are becoming more frequent.
Individuals, mostly privileged users and administrators, regular employees or third-party and temporary workers, threaten your sensitive data for a variety of reasons: it can be to blackmail you, snoop on you, sabotage production and so forth. Many times though, it’s human error, such as an employee sending sensitive data to the wrong recipient.
These insiders know your passwords or passcodes, you may have given it to them. Being internal, it’s also easy for them to clone your biometric fingerprints. Insiders don’t need to defeat the encryption. They simply need to compromise the credentials of those administrators that have access to the encrypted data.
Former computer intelligence consultant, Edward Snowden who leaked highly classified information from the National Security Agency (NSA) in 2013 when he was a subcontractor for the Central Intelligence Agency (CIA) is a case in point. (Read also: Trusting Encryption Just Got a Lot Harder.)
Hackers slip through the cracks
Hackers trick you into clicking on malicious hyperlinks, visiting risky sites or downloading potentially harmful files. They also slip in through weak or stolen passwords, brute force attacks where they enlist software tools to guess your password, or when you merely leave your devices around - with accounts open. Your data may be encrypted - but the door’s open for them to slide in.
Hackers find vulnerable access points
Hackers slip in through unprotected spots. Only certain parts of your online system are encrypted. So, for example, you could use a VPN to protect your internet connection, but hackers could still crawl into your online accounts.
In the same way, while Google encrypts your email, it also warns that it can’t guarantee the security of your emails all the time:
“Whenever possible, Gmail protects your info by using Transport Layer Security (TLS) to automatically encrypt emails you send or receive. TLS doesn’t work with messages from some email services.”
In other words, if you send mail from one Gmail account to another, you’re protected, but if you send Gmail to an account out of network, you may be risking the privacy of that mail.
One of the most common ways hackers slither in is through your software, hardware, computer operating system or the network and server you’re connected to that is flawed.
Hackers dodge encryption
Modern hackers are more savvy than those of yore and many are turning to ransomware tactics. It takes too much time and expense for them to figure out which content is worth stealing. Cracking your online encryption takes too long. Today’s hackers take the smarter approach. They seal off access to your data, “generously” allowing you access only after you’ve paid their requested ransom. Examples: WannaCry, DarkSide, or Sodinokibi (REvil).
Bottom line: As much as encryption works, it’s no longer a deterrent. Hackers slip around it.
So What’s to be Done?
The remedy’s simple, cheap and straightforward. It also depends on you. (Read also: 10 Best Practices for Encryption Key Management and Data Security.)
Here’s the rundown:
Steer clear from suspicious ads, websites, links and messages. Any promotion that sounds too good to be true, is likely just that - not true.
Consider installing an antivirus program if you don’t already have one, as it will scout for malware and remove bugs if needed. Update as required.
Update and patch software as soon as options are available. Make sure your device is secure, as should be the network and server you’re connected to. It’s risky to choose cheap services.
Secure your accounts with multifactor authentication, biometrics or secure passwords. And you really wouldn’t want to store that password on your web browser nor leave it lying around. A password manager could help.
Create strong passwords that can't be guessed - a combination of upper- and lower-case letters, digits and symbols. And change these passwords often.
Keep your eye on your devices, secure your accounts, log out of your accounts after use and store your devices in a protected place.
There are lots of ways malicious accounts can creep into your accounts and read or steal your data. And that’s nothing to do with encryption. Thieves can get in through negligent conduct, insider threat, vulnerable crannies, brute force, social engineering or phishing attacks and archaic software or hardware, among scores of other opportunities.
Yes, end-to-end encryption helps, but it only goes so far. Practice safe habits to protect your data. It will keep you and your business secure.