The Unthought About Risks of Encryption

We hear a lot about encryption in this day in age, particularly around it being the panacea for compliance with data protection regulations. It’s true it can be a component of an information security and compliance strategy, but there are a variety of different encryption options available on the market today, so care needs to be taken with selecting the right solution to ensure it doesn’t turn into a nightmare resulting in non-compliance.

Selecting an encryption solution needs to be very much based around the business requirements of an organization; what sensitive information the company holds and processes, what digital channels data is shared through, where data is stored, what processes are in place, and what regulations the company must comply with. There are a multitude of encryption options available on the market today, including manual and automatic solutions, but what are some of the risks that should be considered as part of the selection process?

One of the age-old issues with encryption is key management; who can encrypt content and files and more importantly, decrypt the information.  And it’s the decryption piece which can trip organizations up – particularly if end users are in control of the process. If an individual encrypts a file and sends it out of the organization, there can be a problem with the organization understanding exactly what has been sent out. For example, did John Doe just send a list of customer details and their credit card numbers as part of that encrypted message?

Another risk associated with encryption is, if the user receives an encrypted file which contains their sensitive ‘personal’ data, the organization has no idea this data has entered the network but is ultimately now responsible for protecting it.  Under the EU GDPR, receiving sensitive information unauthorized can create a compliance breach which can have just as much impact as a data loss incident. Unwanted sensitive data acquisition is a huge risk to organizations today and encryption can prevent visibility of what data is entering the business. 

However, the risks don’t end there. When an individual departs an organization, there can be issues around gaining access to the documents/files that they encrypted. They may well have been encrypted and archived for safe keeping, but if there is no known key to access the information/files, this can create issues when it comes to auditing and compliance.  Think about critical legal files, financials, contracts, tenders etc. that you couldn’t gain access to.

So, what’s the solution?  It’s quite simple. Take the decision to remove the ability to encrypt from the user and let an automated encryption system handle the process, including looking after the keys.  For those organizations who use encryption today in an unmanaged way, an advanced secure email gateway solution can monitor, detect and quarantine unmanaged encrypted emails, both incoming and outgoing, to help with the migration to a managed solution. With several different types of automated encryption options available, understanding the benefits around which one to use and when is important.  The underlying mantra, however, is that the system carries out the encryption (and decryption), so that the organization always remains in control of the data and the risk of falling foul of any compliance issues is prevented - today or in the future.

If you’d like to learn more about automated encryption options, contact the Clearswift team. 

Additional information:

Clearswift SECURE Email Gateway

Best Practice Guide: Encryption and Secure File Transfer

Email Encryption Options – which one is right for you?